Full Report
Cybersecurity researchers have discovered a set of 10 malicious npm packages that are designed to deliver an information stealer targeting Windows, Linux, and macOS systems. "The malware uses four layers of obfuscation to hide its payload, displays a fake CAPTCHA to appear legitimate, fingerprints victims by IP address, and downloads a 24MB PyInstaller-packaged information stealer that harvests
Analysis Summary
# Tool/Technique: Malicious npm Packages delivering Information Stealer
## Overview
A set of 10 malicious npm packages designed to exploit developers by distributing a multi-stage information stealer targeting credentials stored on Windows, Linux, and macOS systems. The packages utilize typosquatting to appear legitimate.
## Technical Details
- Type: Malware (Information Stealer framework initiated via compromised registry package)
- Platform: Windows, Linux, macOS
- Capabilities: Credential harvesting from keyrings, browsers, and authentication services; multi-layered obfuscation; system fingerprinting (IP address).
- First Seen: July 4, 2025 (date of upload to npm registry)
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.006 - Spearphishing Link (Implied via package installation dependency chain/trust abuse)
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell (Windows) / T1059.006 - Python (Deployment of PyInstaller binary)
- T1036 - Masquerading
- T1036.003 - Rename System Utilities (Mimicking legitimate package installation process with fake CAPTCHA)
- T1083 - File and Directory Discovery (Used by the final stealer binary)
- T1552 - Unsecured Credentials
- T1552.002 - Credentials from Password Stores (Targeting system keyrings)
## Functionality
### Core Capabilities
- **Initial Compromise:** Utilizes typosquatted npm package names (e.g., *deezcord.js*, *etherdjs*) to deceive developers into installation.
- **Execution Trigger:** Malicious functionality executes automatically upon installation via a `postinstall` hook, launching `install.js`.
- **System Fingerprinting:** Captures the victim's IP address and transmits it to a Command and Control (C2) server.
- **Deception:** Displays a fake CAPTCHA and seemingly legitimate installation output to mask malicious activity.
- **Payload Delivery:** Downloads a 24MB PyInstaller-packaged information stealer (`data_extracter`) from the C2 server.
### Advanced Features
- **Multi-Layered Obfuscation:** The initial JavaScript payload employs four layers of obfuscation, including XOR cipher with dynamic keys, URL-encoding, and hexadecimal/octal arithmetic to hinder static analysis.
- **Independent Execution:** Spawns a new terminal window (Command Prompt, GNOME Terminal, etc.) to run the main payload (`app.js`) independently of the `npm install` process, immediately clearing the window to avoid suspicion.
- **System Keyring Access:** The final stealer binary leverages the `keyring` npm library implementation to directly extract decrypted credentials from system keyrings storing data for email clients, cloud tools, VPNs, and SSH.
- **Data Exfiltration:** Harvested secrets are compressed into a ZIP archive and exfiltrated to the attacker-controlled server.
## Indicators of Compromise
- File Hashes: Not specified in the context provided.
- File Names: `install.js`, `app.js`, `data_extracter` (final binary).
- Registry Keys: Not specified in the context provided.
- Network Indicators: **195.133.79[.]43** (C2 server IP address).
- Behavioral Indicators: Installation of specified package versions; spawning of new terminal instances during package installation; execution of obfuscated JavaScript files.
## Associated Threat Actors
- Unknown (Attribution not specified in the summary, but the activity is indicative of a financially motivated or espionage group targeting the software supply chain).
## Detection Methods
- Signature-based detection: Detection of the specific malicious package names on artifact repositories.
- Behavioral detection: Monitoring for post-installation scripts that spawn new terminal windows immediately upon package installation; monitoring for network connections to suspicious IPs immediately following npm operations.
- YARA rules: Potentially applicable to identifying the known obfuscation patterns or the 24MB PyInstaller structure.
## Mitigation Strategies
- **Supply Chain Security:** Utilize audited and verified dependency registries or private enterprise package managers.
- **Package Vetting:** Scrutinize package metadata, download counts, and recent activity before installing unknown libraries, especially those that are typosquatted copies of popular packages.
- **Execution Monitoring:** Monitor filesystem activity and process creation during package installation phases, looking for unauthorized script execution (`postinstall` hooks).
- **Principle of Least Privilege:** Developers should operate with restricted permissions where possible to limit the damage from credential harvesting.
## Related Tools/Techniques
- Typosquatting: A common software supply chain attack vector used to trick users into installing malicious libraries (e.g., dependency confusion attacks).
- PyInstaller: Used here to package and deploy a multi-platform native binary payload, bypassing potential JavaScript sandboxing.
- Credential Stealers targeting OS Keyrings: Similar TTPs found in malware targeting secrets management on operating systems.