Cybersecurity researchers have identified a new threat in the npm ecosystem, consisting of 10 malicious packages designed to deliver a potent information stealer capable of compromising Windows, Linux, and macOS machines. These packages, including “deezcord.js,” “dizcordjs,” “dizcordjs,” “etherdjs,” “ethesjs,” “ethetsjs,” “nodemonjs,” “react-router-dom.js,” “typescriptjs,” and “zustand.js,” were uploaded to the registry on July 4, 2025, and collectively amassed over 9,900 downloads. The attack uses typosquatting, impersonating popular libraries like TypeScript, discord.js, ethers.js, nodemon, react-router-dom, and zustand to trick developers into installation. This multi-stage credential theft operation begins the moment a developer installs one of the deceptive packages.
Once installed, the malware uses a postinstall hook to automatically trigger a script named “install.js” to initiate the attack. The script first checks the victim’s operating system and then executes an obfuscated payload called “app.js” in a new terminal window—specifically Command Prompt on Windows, GNOME Terminal/x-terminal-emulator on Linux, or Terminal on macOS. To maintain a facade of legitimacy, the package displays a fake CAPTCHA prompt and shows authentic-looking output that mimics a legitimate package installation. During this process, the package also captures the victim’s IP address and sends it to an external server at “195.133.79[.]43” before dropping the main malware.
The technique of spawning a new, briefly-seen terminal window is a clever way to avoid suspicion, allowing the malicious process to run independently of the npm installation flow. Socket security researcher Kush Pandya noted that developers who glance at their terminal during installation only see a new window briefly appear before the malware immediately clears it to avoid suspicion. Furthermore, the JavaScript within the “app.js” payload is designed to resist analysis by employing four layers of obfuscation. These anti-analysis measures include using techniques like an XOR cipher with a dynamically generated key, URL-encoding of the payload string, and utilizing hexadecimal and octal arithmetic to obscure the program’s logic and flow.
The primary objective of the attack is to fetch and execute a comprehensive 24MB PyInstaller-packaged information stealer named “data_extracter” from the same external server. This final-stage binary is equipped to thoroughly scan the developer’s machine for secrets, authentication tokens, credentials, and session cookies from various sources, including web browsers, configuration files, and SSH keys. The information stealer incorporates platform-specific implementations, including the use of the keyring npm library, to directly extract credentials stored in the system keyring. This method bypasses typical application-level security and harvests stored credentials in their decrypted form.
Targeting the system keyring is particularly dangerous because these stores hold critical credentials for various services, such as email clients (Outlook, Thunderbird), cloud storage tools (Dropbox, Google Drive, OneDrive), VPN connections (Cisco AnyConnect, OpenVPN), password managers, SSH passphrases, and database connection strings. By successfully targeting and extracting these credentials, the malware provides attackers with immediate and high-value access to corporate email, file storage, internal networks, and production databases. All the harvested information is compressed into a ZIP archive and subsequently exfiltrated back to the control server, completing the sophisticated credential theft operation.
Reference:
