Typosquatted Packages Deploy Multi-Stage Credential Harvester

By SigINT_Admin1 on November 1, 2025 (Last modified: November 1, 2025)

Security researchers discovered 10 dangerous, fake software packages on the npm registry that have been actively stealing user login information for over four months, accumulating nearly 10,000 downloads. These packages use an incredibly sophisticated, multi-step malware to avoid detection and harvest credentials from system keyrings and browsers across all major operating systems (Windows, Linux, and macOS). The team has requested npm remove the packages.

🔍 Detailed Breakdown of the Threat
This rephrasing emphasizes the tactics the attackers used: The Socket's Threat Research Team found 10 malicious packages on the npm software registry that were published on July 4, 2025, and have since been downloaded over 9,900 times. These packages launch an immediate, multi-stage credential theft attack as soon as they are installed by leveraging the postinstall script and running in a new window to hide.

The attackers used several advanced methods to evade detection:

  • Four Layers of Obfuscation: The malicious code was heavily disguised to hide its true function.
  • Deceptive CAPTCHA: A fake CAPTCHA was displayed to the victim to make the activity look like a legitimate part of the software installation.
  • System Fingerprinting: The malware collected the victim's IP address to identify the target machine.
Final Payload: The last stage involved downloading a large, 24MB PyInstaller-packaged information stealer. This final malware is highly dangerous, designed to harvest sensitive login data from system keyrings, web browsers, and authentication services on Windows, Linux, and macOS systems.


🛑 Anatomy of the Attack
The threat actor, identified by the alias andrew_r1 (email: parvlhonor@gmx[.]com), successfully published all ten malicious packages by using a technique called typosquatting. This involves creating packages with names that are nearly identical to popular, trusted libraries, tricking developers into installing the wrong one.
The Typosquatted Targets
The malicious packages mimicked several highly-used JavaScript libraries:
  • Malicious Name Legitimate Target
  • typescriptjs TypeScript deezcord.js,
  • dizcordjs, dezcord.js discord.js
  • etherdjs, ethesjs, ethetsjs ethers.js
  • nodemonjs nodemonreact-router-dom.js
  • react-router-dom zustand.js zustand
Automatic and Stealthy ExecutionThe malware was engineered to run immediately and discreetly upon installation using a standard npm feature: the postinstall lifecycle hook.Immediate Launch: The package.json file was configured to execute a script named install.js right after a developer ran npm install.

JSON"scripts": {
"postinstall": "node install.js"
}

Platform Detection: The install.js script first detected the victim's operating system (Windows, Linux, or macOS).
New Terminal Launch: To keep the malware separate from the npm installation process and avoid detection, the script immediately spawned the main, obfuscated payload in a new, separate terminal window. This window quickly closes or clears its content, making it appear to the developer as a fleeting, minor glitch during the installation process, rather than a security breach.