Summary of the Threat
Researchers found 10 npm packages that delivered a powerful information stealer. For example, the packages aimed at Windows, macOS, and Linux. The researcher reported the operation used heavy obfuscation and fake CAPTCHAs. Therefore, many developers did not notice the malicious behavior during install.
How the Attack Works
The malicious packages appeared on the registry on July 4, 2025. They used typosquatting to mimic popular libraries like TypeScript and nodemon. Next, the packages ran a postinstall hook that launched a hidden script. The script opened a new terminal window to run independently of the npm install process.
Obfuscation and Delivery Details
The attacker hid the JavaScript with four obfuscation layers. For example, the code used XOR ciphers, URL encoding, and numeric tricks. Then the script reached out to an external server and fetched a 24MB PyInstaller stealer. Consequently, the stealer executed and scanned the host for secrets.
What the Stealer Takes
The payload targeted system keyrings, browsers, and auth services. It extracted tokens, cookies, SSH keys, and password-manager data. Moreover, the stealer compressed the data into a ZIP archive. Then it exfiltrated the archive to the attacker’s server.
Installation Tricks and Evasion
During install, victims saw a fake CAPTCHA and normal-looking output. Meanwhile, the malware captured the victim’s IP address and sent it to the server. Therefore, the installation looked benign to casual observers. The attacker designed the flow to avoid quick detection.
Platform-Specific Actions
The malicious postinstall launched app.js with OS-aware behavior. On Windows it used Command Prompt, and on Linux it used x-terminal-emulator. On macOS it used Terminal to run the payload. As a result, the stealer could use platform-specific keyring APIs to decrypt stored credentials.
Impact on Development and Operations
Stolen keyring data can expose email, cloud sync, VPN, and CI secrets. For example, attackers could access repositories, databases, and internal tools. Therefore, a single compromised developer machine can breach many systems. Organizations must treat developer endpoints as high-value targets.
Detection and Response Notes
Researchers observed nearly 9,900 collective downloads before takedown. The researcher warned that spawn-new-terminal tactics reduce immediate suspicion. Thus, defenders need deeper telemetry than terminal output alone. Automated scans of installed packages can spot anomalies early.
How to Prevent This Attack
Do not install packages from unknown or suspicious sources. Additionally, enforce package registry monitoring and automated supply-chain scanning to catch typosquats early. Also deploy managed endpoint detection and response that inspects postinstall activity. These measures help detect hidden terminal spawns and abnormal network fetches. Finally, apply strict least-privilege controls for developer machines and rotate exposed secrets immediately.
Sleep well, we got you covered.
