Stealthy npm Packages Deploy Multi-Stage Credential Harvesters Across Platforms
The npm ecosystem has recently been infiltrated by ten malicious packages designed to execute automatically upon installation, deploying sophisticated credential-harvesting malware. This campaign signifies a notable advancement in supply chain attacks, utilizing multiple obfuscation layers and cross-platform compatibility to target developers on Windows, Linux, and macOS systems.
Typosquatting Tactics
The attackers employed typosquatting, creating package names that closely resemble popular JavaScript libraries such as discord.js, ethers.js, and TypeScript. This strategy exploits common typographical errors made by developers during package installation, increasing the likelihood of unintentional downloads. These malicious packages were first published on July 4, 2025, and remained active for over four months, amassing more than 9,900 downloads before being identified by analysts at Socket.dev.
Execution Mechanism
Each compromised package utilizes npm’s postinstall lifecycle hook to execute immediately upon installation. To evade detection, the malware launches in a new terminal window, operating independently of the npm install command. This design minimizes the chances of developers noticing any unusual activity during the installation process.
Platform Detection and Obfuscation
The malware incorporates advanced platform detection capabilities, identifying the victim’s operating system and deploying the appropriate execution method for Windows command prompts, Linux terminals, or macOS Terminal.app. To further complicate detection, the campaign employs four distinct obfuscation layers:
1. Self-Decoding Eval Wrapper: Prevents straightforward code inspection.
2. XOR Decryption with Dynamic Keys: Keys are generated based on the decoder function’s source code.
3. URL Encoding of Payload Strings: Conceals the true nature of the payload.
4. Control Flow Obfuscation: Utilizes switch-case state machines with mixed hexadecimal and octal arithmetic to obscure the code’s logic.
This multi-layered obfuscation makes static analysis exceedingly challenging without full JavaScript evaluation.
Social Engineering via Fake CAPTCHA
Upon installation, the malware presents a fake CAPTCHA prompt, serving multiple purposes:
– Legitimacy: Makes the package appear authentic.
– Execution Delay: Obscures the connection between the malware’s execution and the npm install process.
– User Interaction: Requires manual input, potentially bypassing automated security scans.
– Deception: Convinces developers they are interacting with a standard security measure.
Multi-Stage Infection and Credential Harvesting
The malware’s infection mechanism is a meticulously orchestrated multi-stage process:
1. IP Fingerprinting: After the fake CAPTCHA interaction, the system sends the victim’s IP address to a specific endpoint (http://195[.]133[.]79[.]43/get_current_ip). This allows the attacker to log installations, filter by geographical location, and monitor security researcher activity.
2. Payload Deployment: Following the CAPTCHA interaction, the malware downloads and executes a 24MB PyInstaller-packaged binary named data_extracter.
Cross-Platform Credential Theft
The data_extracter binary is a cross-platform information stealer targeting various credential storage mechanisms across major operating systems:
– Linux: Utilizes the SecretService D-Bus API and GNOME Keyring.
– macOS: Accesses Keychain Services API.
– Windows: Exploits Credential Manager.
This comprehensive approach ensures the malware can extract credentials regardless of the victim’s environment.
Targeted Data
The malware performs extensive file system reconnaissance, scanning for credential stores in:
– Browser Profile Directories: Targets SQLite databases containing cookies and passwords.
– SSH Key Directories: Seeks SSH private keys used for Git authentication.
– Cloud Service Credentials: Looks for AWS credentials files, Kubernetes configuration files, and Docker registry credentials.
– API Keys and Tokens: Searches for JSON configuration files with API keys and OAuth/JWT tokens that provide long-term access to cloud services and development platforms.
This thorough data extraction ensures the attacker captures both interactive credentials and service account credentials used in modern development workflows.
Data Exfiltration
After harvesting credentials, the malware packages the extracted data into a compressed archive and transmits it to the attacker’s command and control server at 195[.]133[.]79[.]43. The stolen credentials grant immediate access to corporate email systems, cloud infrastructure, internal networks, production databases, and authenticated web applications. Additionally, session cookies enable account takeover without triggering password reset notifications.
Recommendations for Developers
To mitigate the risk posed by such sophisticated supply chain attacks, developers are advised to:
– Verify Package Authenticity: Carefully inspect package names and sources before installation to avoid typosquatting traps.
– Monitor Installations: Be vigilant for unexpected behaviors during package installation, such as the opening of new terminal windows or prompts for unusual interactions.
– Implement Security Tools: Utilize automated dependency audits and contextual scanning tools to detect and prevent malicious packages.
– Regularly Update Credentials: Rotate access tokens and credentials periodically to minimize the impact of potential compromises.
– Stay Informed: Keep abreast of the latest security advisories and reports related to npm packages and other development tools.
By adopting these practices, developers can enhance their defenses against evolving supply chain threats and protect their projects from malicious actors.
