Illustration of a developer's desk with a computer screen showing malicious npm packages stealing credentials across platforms, highlighting cybersecurity risks.
Illustration of a developer's desk with a computer screen showing malicious npm packages stealing credentials across platforms, highlighting cybersecurity risks.
Picha iliyoundwa na AI

Malicious npm packages steal developer credentials on multiple platforms

Picha iliyoundwa na AI

Ten typosquatted npm packages, uploaded on July 4, 2025, have been found downloading an infostealer that targets sensitive data across Windows, Linux, and macOS systems. These packages, mimicking popular libraries, evaded detection through multiple obfuscation layers and amassed nearly 10,000 downloads. Cybersecurity firm Socket reported the threat, noting the packages remain available in the registry.

On July 4, 2025, threat actors uploaded ten malicious packages to the npm registry, using typosquatting to impersonate legitimate software like TypeScript, discord.js, ethers.js, nodemon, react-router-dom, and zustand. The packages—typescriptjs, deezcord.js, dizcordjs, dezcord.js, etherdjs, ethesjs, ethetsjs, nodemonjs, react-router-dom.js, and zustand.js—tricked developers into installing them by appearing in search results for the real names.

Upon installation, a postinstall script activates, spawning a hidden terminal that executes 'app.js' and clears the window to avoid notice. This loader employs four obfuscation layers: a self-decoding eval wrapper, XOR decryption with a dynamic key, URL-encoded payload, and heavy control-flow obfuscation. It displays a fake ASCII CAPTCHA in the terminal to seem legitimate, then sends the victim's geolocation and system fingerprint to a command-and-control server.

The malware subsequently downloads a 24MB PyInstaller-packaged infostealer binary tailored to the host OS. This tool extracts credentials from system keyrings, including Windows Credential Manager, macOS Keychain, and Linux options like SecretService, libsecret, and KWallet. It also targets Chromium-based and Firefox browsers for profiles, saved passwords, and session cookies, alongside SSH keys in common directories and tokens such as OAuth, JWT, and API keys.

Stolen data is compressed into archives and staged in /var/tmp or /usr/tmp before exfiltration to the attacker's server at 195.133.79.43. Despite Socket's report to npm, the packages were still available as of late October 2025. Experts urge affected developers to remove the packages, rotate all credentials, and verify sources from reputable publishers to prevent compromise.

Makala yanayohusiana

Seventy-three Microsoft open source packages were compromised late last week with malware that steals credentials from cloud services and developer tools. The malicious code activates when opened in AI coding agents.

Imeripotiwa na AI

Developer platform Socket has identified a malware known as TrapDoor that is targeting crypto and AI developers.

A ransomware group known as ShinyHunters exploited a critical zero-day flaw in Oracle’s PeopleSoft software to target about 100 organizations. The attackers stole gigabytes of data from victims, including the University of Nottingham, and issued extortion demands. Oracle has released a mitigation but not a full patch.

Imeripotiwa na AI

Google published proof-of-concept exploit code on Wednesday for a vulnerability in its Chromium browser that has gone unfixed for 29 months. The flaw affects Chrome, Microsoft Edge, and other Chromium-based browsers used by millions worldwide. It enables attackers to establish persistent connections for monitoring user activity and launching attacks.

Jumanne, 16. Mwezi wa sita 2026, 20:05:46

Arch Linux disables new AUR registrations after malware waves

Jumamosi, 13. Mwezi wa sita 2026, 16:49:43

Malware infects 1579 packages in Arch Linux AUR

Jumatatu, 11. Mwezi wa tano 2026, 06:22:56

Fake OpenAI repository tops Hugging Face downloads

Jumanne, 5. Mwezi wa tano 2026, 12:10:37

Daemon Tools app hit by monthlong supply-chain attack

Jumatano, 22. Mwezi wa nne 2026, 09:46:30

Microsoft patches critical ASP.NET Core vulnerability on macOS and Linux

Tovuti hii inatumia vidakuzi

Tunatumia vidakuzi kwa uchambuzi ili kuboresha tovuti yetu. Soma sera ya faragha yetu kwa maelezo zaidi.
Kataa