In a newly disclosed multi-stage supply-chain campaign, a threat actor published ten typosquatted npm packages that mimicked popular libraries to deploy a cross-platform credential stealer.
According to a Socket analysis, the packages were published on July 4 and had collectively amassed nearly 10000 downloads in four months before being flagged for removal.
“Each package leverages npm’s postinstall hook to execute immediately upon installation, launching in a new terminal window to avoid detection during the install process,” Socket researchers noted in a blog post.
Once installed, these packages automatically launch a fake CAPTCHA prompt, tricking developers into believing it is part of a legitimate installation process. In parallel, the attack chain fingerprints the victim’s IP address and retrieves a PyInstaller-packed binary designed to harvest credentials from keyrings, browsers, SSH keys, API tokens, and cloud configuration files.
npm postinstall script with obfuscation
The malicious packages exploit a built-in npm lifecycle, the postinstall script, to kick off the attack without any additional user steps. Socket found these packages were designed to detect which operating system they were running on and then automatically open a new terminal window to launch the hidden malware script.
By running the payload in a separate window, the actor masks the activity from install logs, researchers noted.
Additionally, the JavaScript payload opens a fake CAPTCHA using Node’s readline and prints convincing messages such as “installing discord.js package..” with realistic version numbers and contributor counts. This social engineering step both delays obvious connections to npm install and can confuse developers and automated defenders into thinking the package is performing benign setup work.
Socket’s analysis also showed the JavaScript itself is deeply obfuscated across four distinct layers–an IIFE self-decoder, an XOR cipher keyed from the decoder source, URI encoded payload text, and control-flow obfuscation using mixed numeral bases–making static detection and casual code review substantially harder.
“This malware demonstrates multiple advanced techniques rarely seen together in npm supply chain attacks,” the researchers said. “The campaign combines four layers of obfuscation, social engineering via fake CAPTCHA and fake legitimate package installations, and automated execution with no additional user interaction after the fake CAPTCHA prompt.”
Payload for IP fingerprinting and credential theft
Once the fake CAPTCHA interaction occurs, the installer sends the victim’s IP address to the attacker’s server, a step that allows tracking, geofencing, and exclusion of unwanted targets.
It then downloads the payload from the same host, which is a 24 MB Pyinstaller-packed application that contains hundreds of thousands of strings and multiple binaries, indicating a feature-rich stealer.
Socket further analyzed the binaries to perform aggressive filesystem and credential harvest, targeting browser password stores and cookies, SSH keys, OS keyrings (Windows Credential Manager, macOS keychain, Linux SecretService), cloud config files, SDK tokens, and other artifacts that can lead to “long-terms access” to code repositories, cloud consoles, and corporate resources. Exfiltration transfers the data to the threat actor’s host, providing a central collection point for harvested secrets. Socket has published a full list of the ten malicious package names, their hashes, and the attacker’s associated email address to help developers and defenders identify potential compromises.
Popular libraries typosquatted in the campaign include TypeScript, discord.js, ethers.js, nodemon, react-router-dom, and zustand. npm’s popularity has made it a growing target for imposter packages, with abusers conducting massive espionage and supply-chain attacks in recent months.