Full Report
Ten malicious packages mimicking legitimate software projects in the npm registry download an information-stealing component that collects sensitive data from Windows, Linux, and macOS systems. [...]
Analysis Summary
# Tool/Technique: Information Stealing Component delivered via Malicious NPM Packages
## Overview
This refers to a campaign where ten malicious packages mimicking legitimate software projects were uploaded to the npm registry. These packages deliver a multi-stage information-stealing component targeting sensitive credentials and data across Windows, Linux, and macOS systems.
## Technical Details
- **Type:** Malware (Information Stealer) deployed via Malicious Package
- **Platform:** Windows, Linux, macOS
- **Capabilities:** Credential harvesting from system keyrings, browsers, SSH keys, and API tokens; multi-layered obfuscation for evasion; cross-platform binary deployment.
- **First Seen:** Packages uploaded on July 4 (year not specified, inferred recently based on article date: October 29, 2025).
## MITRE ATT&CK Mapping
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1070.001 - Indicator Removal: File Deletion (Clearing terminal window)
- **TA0009 - Collection**
- T1555 - Credentials from Web Browsers
- T1555.003 - Credentials from Password Stores
- T1555.004 - Credentials from Web Session Cookie Stores
- T1552.001 - Credentials in Files (SSH keys, tokens)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Typosquatting Lure:** Used names like `typescriptjs`, `dizcordjs`, `ethers.js`, `nodemonjs`, `react-router-dom.js`, and `zustand.js` to trick developers.
- **Automatic Execution:** Utilizes the `postinstall` script inherent in NPM packages to trigger execution automatically upon installation.
- **Evasion:** Spawns a new terminal matching the host OS and executes the loader (`app.js`) outside the visible install log, clearing the window immediately.
- **Data Harvesting:** Specifically targets passwords, profiles, and session cookies from Chromium-based and Firefox browsers. It also extracts data from system keyrings (Windows Credential Manager, macOS Keychain, Linux SecretService, libsecret, KWallet), SSH keys, and API tokens (OAuth, JWT).
- **Exfiltration:** Packages stolen data into compressed archives and sends them to the C2 server.
### Advanced Features
- **Multi-Layered Obfuscation:** The loader (`app.js`) employs four layers of obfuscation:
1. Self-decoding `eval` wrapper.
2. XOR decryption using a dynamically generated key.
3. URL-encoded payload.
4. Heavy control-flow obfuscation.
- **Bogus CAPTCHA:** Displays a fake ASCII CAPTCHA in the terminal post-execution to provide a facade of legitimacy to the installation process.
- **Staging:** Temporarily stages collected data in directories like `/var/tmp` or `/usr/tmp` before final exfiltration.
- **Cross-Platform Binary Delivery:** Fetches and executes a 24MB, PyInstaller-packaged, platform-specific information-stealing binary from an external source after initial system profiling.
## Indicators of Compromise
- **File Hashes:** Not provided in the text.
- **File Names:** `app.js` (Malware loader), Platform-specific PyInstaller binary.
- **Registry Keys:** Not specified.
- **Network Indicators:** C2 Server: `195[.]133[.]79[.]43`
- **Behavioral Indicators:** Execution of code via `postinstall` script; communication to the C2 server sending geolocation and system fingerprint data; staging data in `/var/tmp` or `/usr/tmp`.
## Associated Threat Actors
- Unattributed threat actor utilizing typosquatting and camouflage to distribute the malware via the npm registry.
## Detection Methods
- **Signature-based detection:** Potential signatures against the known package names or the final PyInstaller binary.
- **Behavioral detection:** Detecting execution flow triggered by `postinstall` scripts, unexpected terminal window clearing, or outbound connections following package installation.
- **YARA rules:** Not provided.
## Mitigation Strategies
- **Prevention:** Double-check package names for typosquatting before installation; verify that packages originate from reputable publishers and official repositories.
- **Hardening recommendations:** Strictly vet dependencies pulled from public repositories like npm; monitor for execution of scripts outside expected package installation logs. Developers should immediately sweep systems that installed these packages and rotate all compromised credentials and access tokens.
## Related Tools/Techniques
- Typosquatting in software dependency repositories (e.g., PyPI, RubyGems, Maven).
- Use of PyInstaller to package cross-platform malicious payloads.
- Use of legitimate package scripts (e.g., `postinstall`) for initial malicious execution.