Security researchers have identified a set of malicious npm packages that were quietly stealing credentials, tokens, and browser data from all major operating systems, including Windows, macOS, and Linux.  

These packages were uploaded to npm on July 4 and managed to stay under the radar for a long time. Multiple layers of obfuscation helped them avoid detection by standard security and static analysis tools.  

According to researchers at cybersecurity firm Socket, the ten malicious packages were downloaded nearly 10,000 times and stole sensitive data such as credentials from system keyrings, browsers, and authentication services. Surprisingly, the packages are still available on npm at the time of writing, even after being reported by the researchers.  

The identified packages include: 

  1. typescriptjs 
  1. deezcord.js 
  1. dizcordjs 
  1. dezcord.js 
  1. etherdjs 
  1. ethesjs 
  1. ethetsjs 
  1. nodemonjs 
  1. react-router-dom.js 
  1. zustand.js 

The attackers used a fake CAPTCHA challenge to make the installation process look legitimate while secretly downloading a 24MB information stealer built with PyInstaller. 

How Attackers Tricked Developers with Fake Packages

To trick developers, the threat actors used typosquatting to create packages with names similar to popular npm packages like TypeScript, discord.js, ethers.js, nodemon, react-router-dom, and zustand. Developers searching for these packages can easily mistype a name or click on the wrong one, unknowingly installing a malicious version. 

Once installed, the package triggers a postinstall script that automatically opens a new terminal window based on the host operating system. This script runs an app.js file in the background and clears the terminal screen to hide its activity. 

The app.js file acts as a malware loader and uses four layers of obfuscation: 

  • A self-decoding eval wrapper 
  • XOR decryption with a dynamically generated key 
  • A URL-encoded payload, and  
  • Complex control-flow obfuscation 

The script displays a fake CAPTCHA in the terminal to make the installation process appear legitimate.   

After this, the malware sends the victim’s geolocation and system details to the attacker’s command-and-control (C2) server. It then downloads a platform-specific executable (a 24MB PyInstaller file) that automatically launches on the infected system.  

The information stealer targets system keyrings like macOS Keychain, Windows Credential Manager, and Linux services such as KWallet, libsecret, and SecretService. It also collects data from Chromium-based and Firefox browsers, including saved passwords, cookies, and profiles. Moreover, it searches for SSH keys, OAuth tokens, JWTs, and other API credentials. 

All stolen data is compressed and sent to the attacker’s server at 195[.]133[.]79[.]43, after being temporarily stored in /var/tmp or /usr/tmp. 

Developers who installed any of these packages are advised to immediately remove them, clean their systems, and reset all passwords and access tokens, as there is a strong chance of compromise. 

Experts recommend that developers double-check the package name before installation and ensure that all packages come from verified publishers and official repositories to avoid such attacks.