Cybersecurity researchers have discovered a set of 10 malicious npm packages designed to provide information theft targeting Windows, Linux, and macOS systems.
“The malware uses four layers of obfuscation to hide its payload, displays a fake CAPTCHA to appear legitimate, fingerprints the victim by IP address, and downloads a 24MB PyInstaller package information stealer that collects credentials from system keyrings, browsers, and authentication services on Windows, Linux, and macOS,” said Kush Pandya, a socket security researcher.
The npm package was uploaded to the registry on July 4, 2025 and has accumulated over 9,900 downloads in total –
deezcord.js dezcord.js dizcordjs etherdjs ethesjs ethetsjs nodemonjs react router-dom.js typescriptjs zustand.js
The multi-step credential theft operation manifested itself in the form of various typeposquatting packages impersonating popular npm libraries such as TypeScript, discord.js, ethers.js, nodemon, react-router-dom, and zustand.
Once the malware is installed, it displays a fake CAPTCHA prompt and displays authentic-looking output that mimics the installation of legitimate packages, giving the impression that the setup process is proceeding as expected. However, the package captures the victim’s IP address in the background and sends it to an external server (‘195.133.79’).[.]43″) and proceed to the main malware drop.
For each package, upon installation, a post-installation hook automatically triggers malicious functionality that launches a script named “install.js” that detects the victim’s operating system and launches an obfuscated payload (“app.js”) in a new command prompt (Windows), GNOME Terminal or x-terminal-emulator (Linux), or Terminal (macOS) window.
“By spawning a new terminal window, the malware runs independently of the npm installation process,” Pandya points out. “During the installation, when the developer looks at the device, they can see a new window briefly appear, but the malware quickly erases the window to avoid any suspicion.”
The JavaScript contained in “app.js” is hidden by four layers of obfuscation designed to withstand analysis, including XOR encryption with dynamically generated keys, URL encoding of the payload string, and use of hexadecimal and octal arithmetic to obscure program flow.
The ultimate goal of the attack is to fetch and run a comprehensive information stealer (“data_extracter”) from the same server that has the ability to thoroughly scan the developer’s machine for secrets, authentication tokens, credentials, and session cookies from the web browser, configuration files, and SSH keys.
The stealer binary also includes a platform-specific implementation of extracting credentials from the system keyring using the keyring npm library. The collected information is compressed into a ZIP archive and leaked to a server.
“System keyrings store credentials for critical services such as email clients (Outlook, Thunderbird), cloud storage synchronization tools (Dropbox, Google Drive, OneDrive), VPN connections (Cisco AnyConnect, OpenVPN), password managers, SSH passphrases, database connection strings, and other applications that integrate with the OS credential store,” Socket said.
“By directly targeting the keyring, the malware bypasses application-level security and collects stored credentials in decrypted form. These credentials provide instant access to corporate email, file storage, internal networks, and operational databases.”
Source link
