Ten malicious npm packages were found stealing credentials from developers on Windows, macOS, and Linux systems. The packages mimicked well-known libraries such as React Router, TypeScript, and Ethers.js, tricking users into installing them through typosquatting. Once executed, the malware displayed a fake CAPTCHA screen to disguise background activity, then ran an obfuscated script that collected system details and downloaded a hidden infostealer payload. The stealer extracted browser-stored passwords, SSH keys, and authentication tokens before exfiltrating them to a remote command-and-control server.

The campaign demonstrated a high level of obfuscation and multi-stage delivery, designed to evade antivirus detection and manual inspection. Attackers used four layers of encryption and bundled a large malicious executable inside otherwise legitimate-looking npm packages. This incident highlights persistent weaknesses in open-source ecosystems where malicious actors exploit developer trust and automated dependency installation. It reinforces the need for rigorous dependency validation, package signing, and behavioral monitoring in development environments to prevent supply chain compromise.

‍

Source: https://thehackernews.com/2025/10/10-npm-packages-caught-stealing.html