Ethical Hacking News
Malicious NPM packages have been secretly infiltrating the npm registry, compromising sensitive data from Windows, Linux, and macOS systems. Developers are advised to take immediate action to clean up infections and rotate access tokens and passwords.
Malicious NPM packages infiltrated the npm registry, posing a significant threat to developers and users worldwide.Malicious packages were uploaded on July 4th and remained undetected for an extended period due to multiple layers of obfuscation.The malicious packages exploited typosquatting tactics and fake CAPTCHA challenges to lure users into downloading them.The packages stole sensitive data from Windows, Linux, and macOS systems, including credentials, profiles, and session cookies.Developers who downloaded the malicious packages are advised to clean up the infection and rotate access tokens and passwords.Cybersecurity experts urge the npm community to take immediate action to address these vulnerabilities and improve package security.
In a shocking revelation, cybersecurity researchers at Socket have discovered that malicious NPM (Node Package Manager) packages have been secretly infiltrating the npm registry, posing a significant threat to developers and users worldwide. These malicious packages, masquerading as legitimate software projects, have been successfully downloaded nearly 10,000 times, compromising sensitive data from Windows, Linux, and macOS systems.
The malicious packages in question were uploaded to npm on July 4th and remained undetected for an extended period due to multiple layers of obfuscation that thwarted standard static analysis mechanisms. It wasn't until Socket's researchers dug deeper that they uncovered the sinister intent behind these seemingly innocuous projects. The malicious packages, dubbed "typescriptjs," "deezcord.js," "dizcordjs," "dezcord.js," "etherdjs," "ethesjs," "ethetsjs," "nodemonjs," "react-router-dom.js," and "zustand.js," were designed to download a 24MB infostealer packaged with PyInstaller.
To evade detection, the threat actor employed a fake CAPTCHA challenge to appear legitimate and lure users into downloading these malicious packages. The malicious packages exploited typosquatting tactics, leveraging misspellings or variations of legitimate package names, such as TypeScript (typed superset of JavaScript), discord.js (Discord bot library), ethers.js (Ethereum JS library), nodemon (auto-restarts Node apps), react-router-dom (React browser router), and zustand (minimal React state manager).
Upon installation, a 'postinstall' script was triggered automatically to spawn a new terminal that matched the host's detected OS. The script executed 'app.js' outside the visible install log and cleared the window immediately to evade detection. The 'app.js' file, the malware loader, employed four obfuscation layers: self-decoding eval wrapper, XOR decryption with dynamically generated key, URL-encoded payload, and heavy control-flow obfuscation.
Furthermore, the malicious packages displayed a fake CAPTCHA in the terminal using ASCII to give false legitimacy to the installation process. They then sent the victim's geolocation and system fingerprint information to the attacker's command and control (C2) server, acquiring valuable intel on the compromised systems.
Having obtained this information, the malware downloaded and automatically launched a platform-specific binary from an external source, which was a 24MB PyInstaller-packaged executable. This infostealer targeted sensitive data stored in Windows Credential Manager, macOS Keychain, Linux SecretService, libsecret, and KWallet, as well as data stored in Chromium-based and Firefox browsers, including profiles, saved passwords, and session cookies.
The stolen information was packaged into compressed archives and exfiltrated to the attacker's server at 195[.]133[.]79[.]43, following a temporary staging step in /var/tmp or /usr/tmp. The malicious packages remained available on npm despite being reported by Socket researchers, highlighting the need for improved package verification and authentication mechanisms.
Developers who downloaded any of these malicious packages are recommended to clean up the infection and rotate all access tokens and passwords, as there is a high chance that they are compromised. Furthermore, developers should exercise extreme caution when sourcing packages from npm or other open-source indexes, double-checking for typos and ensuring that everything comes from reputable publishers and official repositories.
In light of this alarming discovery, cybersecurity experts urge the npm community to take immediate action to address these vulnerabilities. The incident serves as a stark reminder of the importance of package security and the need for developers to remain vigilant in their online activities.
Related Information:
https://www.ethicalhackingnews.com/articles/Malicious-NPM-Packages-Exposed-A-Threat-to-Developers-and-Users-Alike-ehn.shtml
Published: Wed Oct 29 19:02:15 2025 by llama3.2 3B Q4_K_M
