The npm ecosystem faces a sophisticated new threat as ten malicious packages have emerged, each designed to automatically execute during installation and deploy a comprehensive credential harvesting operation.
This attack campaign represents a significant evolution in supply chain compromises, combining multiple layers of obfuscation with cross-platform compatibility to target developers across Windows, Linux, and macOS environments.
The malware employs typosquatting techniques to mimic popular JavaScript libraries, making detection particularly challenging for unsuspecting developers.
Published on July 4, 2025, these packages have remained active for over four months, accumulating more than 9,900 downloads collectively before Socket.dev analysts identified their malicious nature.
The threat actor, operating under the alias andrew_r1 with the email address parvlhonor@gmx[.]com, crafted each package to closely resemble legitimate libraries including discord.js, ethers.js, TypeScript, and other commonly used development dependencies.
This typosquatting approach capitalizes on common spelling mistakes and variations that developers might inadvertently introduce when installing packages.
Each malicious package leverages npm’s postinstall lifecycle hook to execute immediately upon installation, launching in a new terminal window to avoid detection during the installation process.
The malware’s design ensures it runs independently of the npm install command, minimizing the likelihood that developers will notice unusual activity.
The packages include sophisticated platform detection capabilities, automatically identifying the victim’s operating system and deploying the appropriate execution method for Windows command prompts, Linux terminals, or macOS Terminal.app.
The campaign demonstrates advanced technical capabilities through its implementation of four distinct obfuscation layers.
These include a self-decoding eval wrapper that prevents cursory code inspection, XOR decryption with dynamically generated keys based on the decoder function’s source code, URL encoding of payload strings, and control flow obfuscation using switch-case state machines with mixed hexadecimal and octal arithmetic.
This multi-layered approach makes static analysis extremely difficult without full JavaScript evaluation.
Upon successful installation, the malware presents victims with a fake CAPTCHA prompt designed as a social engineering component.
This element serves multiple purposes: making the package appear legitimate, delaying execution to obscure its connection to npm install, requiring user interaction that may bypass automated security scans, and convincing developers they are interacting with a reputable security measure.
Multi-Stage Infection and Credential Harvesting Mechanism
The malware’s infection mechanism operates through a carefully orchestrated multi-stage process that combines deception with sophisticated data extraction capabilities.
Following the fake CAPTCHA presentation, the system performs IP fingerprinting by sending the victim’s address to http://195[.]133[.]79[.]43/get_current_ip, enabling the threat actor to log installations, potentially filter by geographical location, and track security researcher activity.
Once the victim interacts with the CAPTCHA prompt, the malware automatically downloads and executes a 24MB PyInstaller-packaged binary called data_extracter.
Wireshark capture showing HTTP GET request to 195[.]133[.]79[.]43 get_current_ip (Source – Socket.dev)
This cross-platform information stealer targets multiple credential storage mechanisms across all major operating systems.
The binary includes platform-specific implementations for Linux SecretService D-Bus API and GNOME Keyring, macOS Keychain Services API, and Windows Credential Manager, ensuring comprehensive credential extraction regardless of the victim’s environment.
// Detects platform and spawns new terminal window
const platform = os.platform();
if (platform == ‘win32’) {
exec(‘start cmd /k “node app.js”‘);
} else if (platform == ‘linux’) {
exec(‘gnome-terminal — bash -c “node app.js”‘, (error) => {
if (error) exec(‘x-terminal-emulator -e “bash -c \’node app.js\'”‘);
});
} else if (platform == ‘Darwin’) {
exec(`osascript -e ‘tell app “Terminal”
do script “node ‘$(pwd)/app.js'”
end tell’`, () => {});
}
The data_extracter binary performs extensive file system reconnaissance, systematically scanning for credential stores in browser profile directories, SSH key directories, AWS credentials files, Kubernetes configuration files, and Docker registry credentials.
It targets SQLite databases containing browser cookies and passwords, JSON configuration files with API keys, SSH private keys for Git authentication, and OAuth/JWT tokens that provide long-term access to cloud services and development platforms.
This comprehensive approach ensures the attacker captures not only interactive credentials but also service account credentials and automation keys used in modern development workflows.
Upon completion of credential harvesting, the malware packages all extracted data into a compressed archive that is transmitted back to the threat actor’s command and control server at 195[.]133[.]79[.]43.
The stolen credentials provide immediate access to corporate email systems, cloud infrastructure, internal networks, production databases, and authenticated web applications, while session cookies enable account takeover without triggering password reset notifications.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post 10 Malicious npm Packages with Auto-Run Feature on Install Deploys Multi-Stage Credential Harvester appeared first on Cyber Security News.
.webp?w=0&resize=0,0&ssl=1 "Sweet Security Brings Runtime-CNAPP Power to Windows")
