Ten typosquatted npm packages, uploaded on July 4, 2025, have been found downloading an infostealer that targets sensitive data across Windows, Linux, and macOS systems. These packages, mimicking popular libraries, evaded detection through multiple obfuscation layers and amassed nearly 10,000 downloads. Cybersecurity firm Socket reported the threat, noting the packages remain available in the registry.
On July 4, 2025, threat actors uploaded ten malicious packages to the npm registry, using typosquatting to impersonate legitimate software like TypeScript, discord.js, ethers.js, nodemon, react-router-dom, and zustand. The packages—typescriptjs, deezcord.js, dizcordjs, dezcord.js, etherdjs, ethesjs, ethetsjs, nodemonjs, react-router-dom.js, and zustand.js—tricked developers into installing them by appearing in search results for the real names.
Upon installation, a postinstall script activates, spawning a hidden terminal that executes 'app.js' and clears the window to avoid notice. This loader employs four obfuscation layers: a self-decoding eval wrapper, XOR decryption with a dynamic key, URL-encoded payload, and heavy control-flow obfuscation. It displays a fake ASCII CAPTCHA in the terminal to seem legitimate, then sends the victim's geolocation and system fingerprint to a command-and-control server.
The malware subsequently downloads a 24MB PyInstaller-packaged infostealer binary tailored to the host OS. This tool extracts credentials from system keyrings, including Windows Credential Manager, macOS Keychain, and Linux options like SecretService, libsecret, and KWallet. It also targets Chromium-based and Firefox browsers for profiles, saved passwords, and session cookies, alongside SSH keys in common directories and tokens such as OAuth, JWT, and API keys.
Stolen data is compressed into archives and staged in /var/tmp or /usr/tmp before exfiltration to the attacker's server at 195.133.79.43. Despite Socket's report to npm, the packages were still available as of late October 2025. Experts urge affected developers to remove the packages, rotate all credentials, and verify sources from reputable publishers to prevent compromise.
