Malicious npm Packages Steal Data From Thousands of Developers

Ten malicious software packages posing as popular development tools have silently targeted developers across Windows, macOS, and Linux systems, stealing sensitive credentials and authentication tokens for months before detection.

Hidden Malware Found in Popular npm Packages

Cybersecurity firm Socket discovered ten npm packages carrying a powerful information-stealing malware that disguised itself as legitimate open-source tools. These packages, uploaded on July 4, remained undetected for weeks thanks to multiple layers of code obfuscation designed to bypass automated security checks.

According to researchers, the packages collectively amassed nearly 10,000 downloads, allowing attackers to collect system credentials, browser passwords, and authentication tokens from unsuspecting developers.

The compromised npm packages are still available at the time of reporting. The malicious uploads include:

• typescriptjs

• deezcord.js

• dizcordjs

• dezcord.js

• etherdjs

• ethesjs

• ethetsjs

• nodemonjs

• react-router-dom.js

• zustand.js

These names closely mimic legitimate libraries like TypeScript, discord.js, ethers.js, nodemon, react-router-dom, and zustand—commonly used tools in JavaScript and React development.

Typosquatting Tricks and Fake CAPTCHA Disguise

The attackers relied on a common deception tactic known as typosquatting, where malicious packages are uploaded with names resembling trusted ones. Developers searching npm might accidentally install a harmful package due to a slight misspelling or misleading search result.

Once installed, a hidden script runs automatically during installation. This “postinstall” script detects the system’s operating system, spawns a new terminal window, and executes a hidden JavaScript file called “app.js.” The process clears the terminal immediately, leaving no visible trace for the developer.

In an effort to appear legitimate, the malware even presents a fake CAPTCHA challenge made of ASCII characters before running its payload. This step tricks developers into believing the installation is routine.

This deceptive CAPTCHA is a clever distraction, buying the malware enough time to execute and establish communication with the attacker’s remote server.

Multi-Layer Obfuscation to Evade Detection

The malicious “app.js” file is heavily protected by four layers of obfuscation, which complicate analysis and help it bypass most static detection tools used by code security platforms. Socket researchers broke down the protection techniques as follows:

These layers make it extremely difficult for traditional scanning tools to spot the malicious logic, allowing the malware to stay active for weeks without raising alarms.

Stealing Credentials From Browsers and System Keyrings

Once running, the malware sends the victim’s geolocation and system fingerprint to its command and control (C2) server hosted at 195.133.79.43. It then downloads a 24MB executable built with PyInstaller, customized for the host system’s platform.

This secondary payload is an advanced information stealer that targets several sensitive storage systems, including:

• Windows Credential Manager

• macOS Keychain

• Linux SecretService, libsecret, and KWallet

It also extracts data from Chromium-based browsers and Firefox, retrieving saved passwords, session cookies, and profile data. The malware hunts for SSH keys in common directories and searches for OAuth, JWT, and API tokens frequently used in software development workflows.

The stolen data is then packaged into compressed archives and temporarily stored in /var/tmp or /usr/tmp directories before being exfiltrated to the attacker’s remote server.

What Developers Should Do Now

Developers who have installed any of the listed packages should take immediate action. Cybersecurity experts recommend a full cleanup of infected systems and rotation of all credentials and tokens. Even if the malware has been removed, there is a strong likelihood that stored secrets have already been stolen.

Security teams advise checking system logs for unusual outbound connections and verifying package authenticity before installation.

To minimize risk when working with npm or other open-source repositories, developers should:

• Carefully check for typos or irregularities in package names.

• Verify the publisher’s identity and version history.

• Avoid installing packages with recent creation dates and low download counts.

Open-source ecosystems like npm remain a favorite target for attackers because of their trust-based structure and global developer reliance.

Growing Concern Over Supply Chain Threats

This latest attack underscores the rising trend of software supply chain compromises, where hackers exploit open-source ecosystems to spread malware at scale. Over the past year, incidents involving malicious npm and PyPI packages have surged, prompting discussions about stricter publishing controls.

Security researchers warn that as automation and dependency tools become standard, attackers are finding easier entry points into the software supply chain.

“Developers trust what they install, and that trust is being abused,” said one expert familiar with the case. “Typosquatting works because speed often wins over scrutiny.”

As of now, the ten malicious npm packages are still accessible, despite being flagged. Their removal and investigation are ongoing.

The discovery serves as a sharp reminder that even trusted developer platforms can harbor hidden dangers. Vigilance, verification, and regular security hygiene are key to staying safe in an increasingly hostile digital supply chain. What do you think about the growing wave of open-source supply chain attacks? Share your thoughts and spread awareness among your developer friends.