Malicious npm Packages Target Windows Systems with Vidar Malware
A sophisticated supply-chain attack has recently emerged, targeting Windows systems through compromised npm packages. Between October 21 and 26, 2025, threat actors published 17 malicious npm packages containing 23 releases designed to deliver the Vidar infostealer malware. This campaign exploited the trust developers place in package registries, leveraging legitimate-appearing packages that masqueraded as Telegram bot helpers, icon libraries, and forks of popular projects, including Cursor and React.
The attack utilized two newly created npm accounts, aartje and saliii229911, which published packages downloaded over 2,240 times before their removal from the registry. This distribution method represents a significant shift for Vidar, which has historically been spread through phishing emails containing malicious Office documents. The deceptive packaging and seemingly legitimate functionality allowed the malicious code to propagate widely before detection.
Datadog Security Labs identified the campaign through their GuardDog static analyzer, which flagged suspicious indicators, including postinstall script execution and process spawning operations. The discovery revealed that all packages executed identical attack chains through postinstall scripts, with some variants using PowerShell commands embedded directly in package.json files.
Infection Mechanism and Technical Breakdown
The attack demonstrates remarkable simplicity in execution. When developers installed compromised packages, postinstall scripts automatically triggered, downloading an encrypted ZIP archive from bullethost.cloud infrastructure. The downloader scripts used hardcoded credentials to extract the archive, retrieving bridle.exe, a Go-compiled Vidar variant previously unseen in npm distributions. The malware then executed with system privileges, initiating the information theft process.
This Vidar variant collects sensitive data, including browser credentials, cookies, cryptocurrency wallets, and system files, before exfiltrating the stolen information through command-and-control infrastructure. The malware discovers active C2 servers by querying hardcoded Telegram and Steam throwaway accounts containing regularly updated C2 domains. After successful data exfiltration, the malware deletes traces of itself, complicating post-compromise detection.
The campaign represents a sophisticated understanding of npm ecosystem vulnerabilities. Threat actors rotated between multiple C2 domains and implemented variations in postinstall script implementations, likely to evade pattern-based detection systems. All affected packages remained live on npm for approximately two weeks, establishing this as one of the most consequential npm-based malware campaigns targeting enterprise development environments and individual developers worldwide.
