Security firm Socket has uncovered ten malicious packages in the npm repository that target developers on Windows, macOS, and Linux systems. These packages, available since July, use typosquatting and sophisticated obfuscation to install infostealer malware. The malware steals credentials from browsers, SSH keys, and configuration files before exfiltrating data to attackers.
Since the beginning of July, ten malicious npm packages have been circulating in the JavaScript package manager, amassing 9,900 downloads before their removal around late October. Discovered by Socket, a company specializing in software supply chain security, the packages employ typosquatting tactics with names mimicking legitimate ones, such as typescriptjs (instead of TypeScript), deezcord.js, dizcordjs, dezcord.js, etherdjs, ethesjs, ethetsjs, nodemonjs, react-router-dom.js, and zustand.js.
The infection begins during installation via a postinstall script in the package.json file. This script opens a hidden terminal window specific to the operating system and executes an app.js file. The app.js contains multi-layered obfuscation, including URL encoding and switch statements with hexadecimal and octal calculations, to conceal its malicious routines. To maintain the appearance of legitimacy, it displays a fake CAPTCHA rendered in ASCII art, requiring user input that serves only as a diversion.
Upon activation, the malware sends the target's IP address to an attacker's server and downloads a platform-specific binary. It then switches to Python execution using PyInstaller, running an unobfuscated application named data_extracter. This tool scours system directories for sensitive data, including Firefox and Chromium browser profiles, SSH keys, AWS credentials in ~/.aws/credentials, SQLite databases, JSON configuration files, browser cookies, keyrings, and authentication tokens. The stolen information is compressed into a ZIP file and transmitted to the attackers.
Although the packages are no longer available on npm as of late October, their three-month availability and advanced obfuscation raise concerns about undetected variants. This incident underscores ongoing vulnerabilities in npm to supply chain attacks, prompting calls for developers to verify packages and monitor installations closely.