Ethical Hacking News
A devastating cyberattack has been discovered that has left many developers reeling. A set of 10 malicious npm packages have been found to steal developer credentials across Windows, macOS, and Linux systems.
A set of 10 malicious npm packages have been discovered that can steal sensitive developer credentials. The malicious packages impersonated popular npm libraries and served a fake CAPTCHA prompt to trick users into installing them. The malware captured the victim's IP address, sent it to an external server, and dropped a main malware payload, which was triggered automatically upon installation. The malware used multiple layers of obfuscation to resist analysis and steal comprehensive information about the developer's machine. The stolen data included system keyrings that stored credentials for critical services such as email clients, cloud storage sync tools, and password managers.
The world of software development has been hit with a devastating cyberattack that has left many developers reeling. According to recent reports, a set of 10 malicious npm packages have been discovered that are designed to steal sensitive developer credentials across Windows, macOS, and Linux systems.
The malicious packages, which were uploaded to the registry on July 4, 2025, accumulated over 9,900 downloads collectively before being detected by cybersecurity researchers. The packages, which impersonated popular npm libraries such as TypeScript, discord.js, ethers.js, nodemon, react-router-dom, and zustand, served a fake CAPTCHA prompt and displayed authentic-looking output to give the impression that the setup process was proceeding along expected lines.
However, in the background, the malware captured the victim's IP address, sent it to an external server, and then proceeded to drop the main malware. Once installed, the malicious functionality was automatically triggered upon installation by means of a postinstall hook, launching a script named "install.js" that detected the victim's operating system and launched an obfuscated payload ("app.js") in a new Command Prompt (Windows), GNOME Terminal or x-terminal-emulator (Linux), or Terminal (macOS) window.
The JavaScript contained within "app.js" was hidden through four layers of obfuscation, including XOR cipher with a dynamically generated key, URL-encoding of the payload string, and using hexadecimal and octal arithmetic to obscure program flow. These layers were designed to resist analysis and make it difficult for cybersecurity researchers to detect the malware.
The end goal of the attack was to fetch and execute a comprehensive information stealer ("data_extracter") from the same server that was equipped to thoroughly scan the developer's machine for secrets, authentication tokens, credentials, and session cookies from web browsers, configuration files, and SSH keys. The stolen data included system keyrings that stored credentials for critical services such as email clients, cloud storage sync tools, VPN connections, password managers, database connection strings, and other applications that integrated with the OS credential store.
"By targeting the keyring directly, the malware bypasses application-level security and harvests stored credentials in their decrypted form," said Socket security researcher Kush Pandya. "These credentials provide immediate access to corporate email, file storage, internal networks, and production databases."
The attack highlights the importance of keeping software up-to-date and being cautious when installing new packages from the npm registry. It also serves as a reminder that even seemingly legitimate packages can be used as vectors for malicious activity.
In light of this recent discovery, cybersecurity experts are urging developers to exercise extreme caution when working with sensitive data and to prioritize the use of reputable security tools to protect against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Cybersecurity-Alert-10-Malicious-npm-Packages-Steal-Developer-Credentials-Across-Windows-macOS-and-Linux-ehn.shtml
https://thehackernews.com/2025/10/10-npm-packages-caught-stealing.html
Published: Wed Oct 29 12:21:10 2025 by llama3.2 3B Q4_K_M
