Security experts have issued a warning to developers after ten malicious npm packages have been found to deliver infostealer malware across Windows, Linux, and macOS systems.
Analysis by researchers at Socket's Threat Research Team shows the malware distributed as part of the campaign uses four layers of obfuscation to hide payloads, displays a fake CAPTCHA to appear legitimate, and fingerprints victims by IP address.
It downloads a 24MB PyInstaller-packaged information stealer that harvests credentials from system keyrings, browsers, and authentication services across Windows, Linux, and macOS.
"This malware demonstrates multiple advanced techniques rarely seen together in npm supply chain attacks," said the researchers.
The ten packages were published on July 4, researchers noted, and have remained live for over four months, clocking up more than 9,900 downloads between them.
Researchers have asked the npm registry to remove them to prevent future victims from falling prey.
How the malicious npm packages work
The packages were registered under typosquatted names to mimic legitimate libraries. These include:
- typescriptjs, mimicking TypeScript
- deezcord.js, and dezcord.js, mimicking discord.js
- etherdjs, ethesjs, ethetsjs, mimicking ethers.js
- nodemonjs, mimicking nodemon
- react-router-dom.js, mimicking react-router-dom
- zustand.js, mimicking zustand
Once installed, the malware serves a fake CAPTCHA prompt. It detects the victim's operating system and launches the obfuscated payload in a new terminal window, meaning the malware runs independently of the npm install process.
"Developers who glance at their terminal during installation see a new window briefly appear, which the malware immediately clears to avoid suspicion," the researchers said.
It uses four distinct layers of obfuscation. A “Self-Decoding Eval Wrapper” wraps the entire payload in an immediately-invoked function expression that reconstructs and evaluates itself, preventing cursory inspection of the code.
The second layer uses XOR cipher with a dynamically generated key based on hashing the decoder function itself, making automated decryption difficult without executing the code.
In the third layer, the payload string is URL-encoded, requiring URI decoding before XOR decryption: a barrier to static analysis tools that do not implement full JavaScript evaluation.
Finally, in the fourth layer, the decoded code uses switch-case state machines with hexadecimal and octal arithmetic to obscure program flow.
Thereafter, it sends the victim's geolocation and system fingerprint information to the attacker's command and control (C2) server, allowing downloads and automatically launching a platform-specific data extractor binary.
"This cross-platform approach ensures developers on any operating system receive a fully functional information stealer tailored to their platform's credential storage mechanisms," researchers said.
"Windows developers have their Credential Manager harvested, macOS developers have their Keychain extracted, and Linux developers have their SecretService keyrings compromised."
How to stay safe
According to Socket, researchers should immediately audit their dependencies for the ten malicious packages and assume that any system where they've been installed is fully compromised.
Similarly, they should reset all credentials stored in system keyrings and password managers, revoke authentication tokens for all services including OAuth, JWT, and API keys, enable multi-factor authentication on all accounts if not already enabled, and rotate SSH keys while reviewing authorized keys on all systems.
Access logs should be audited for unusual activity on connected services, and teams should check for lateral movement from compromised systems to production infrastructure.
Browser history should be reviewed for potential credential theft from saved passwords, and monitoring should be established for unauthorized access to repositories, cloud services, and internal systems.
Finally, VPN and firewall logs should be reviewed for connections to 195[.]133[.]79[.]43, and any additional persistence mechanisms that may have been installed should be identified and removed.
Malicious npm packages keep causing chaos
The use of malicious npm packages has quickly become a key tactic for threat actors targeting developers across a range of industries, with a host of major campaigns uncovered this year alone.
Javvad Malik, lead CISO Advisor at KnowBe4, said the frequency of these campaigns underlines the need for developers to remain vigilant when downloading packages from popular ecosystems such as npm and PyPi.
"Malicious npm packages exploit the pressures developers operate under to bring functionality features to production as quickly as possible. Much like apps on mobile phones, people will often skip over or ignore the permissions that are being asked for in exchange for quick access to the app," he said.
"Teams should lock down by default, not just npm packages, but all third party extensions and agents. Builds should be run in isolated environments and developer credentials should be treated with the same level as production admin credentials."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Trump's AI executive order could leave US in a 'regulatory vacuum'News Citing a "patchwork of 50 different regulatory regimes" and "ideological bias", President Trump wants rules to be set at a federal level
-
TPUs: Google's home advantageITPro Podcast How does TPU v7 stack up against Nvidia's latest chips – and can Google scale AI using only its own supply?
-
Chinese hackers are using ‘stealthy and resilient’ Brickstorm malware to target VMware servers and hide in networks for months at a timeNews Organizations, particularly in the critical infrastructure, government services, and facilities and IT sectors, need to be wary of Brickstorm
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Europol hails triple takedown with Rhadamanthys, VenomRAT, and Elysium sting operationsNews The Rhadamanthys infostealer operation is one of the latest victims of Europol's Operation Endgame, with more than a thousand servers taken down
-
Cisco ASA customers urged to take immediate action as NCSC, CISA issue critical vulnerability warningsNews Cisco customers are urged to upgrade and secure systems immediately
-
Hackers are disguising malware as ChatGPT, Microsoft Office, and Google Drive to dupe workersNews Beware of downloading applications like ChatGPT, Microsoft Office applications, and Google Drive through search engines
-
Cybersecurity experts issue urgent warning amid surge in Stealerium malware attacksNews Proofpoint said Stealerium has flown under the radar for some time now, but researchers have observed a huge spike in activity between May and August this year.
