Security researchers have identified ten malicious packages on the npm registry that deploy a sophisticated information stealer capable of targeting Windows, Linux, and macOS systems. These packages, which use typosquatting to mimic popular libraries like TypeScript and discord.js, have accumulated nearly 10,000 downloads. They evade detection through multiple layers of obfuscation, including self-decoding wrappers and XOR encryption.
Upon installation, a post-install script triggers automatically, spawning a terminal that displays a fake CAPTCHA challenge to appear legitimate. This script then acts as a loader, sending the victim's geolocation and system fingerprint to a command-and-control server before fetching a 24 MB PyInstaller-packaged binary tailored to the operating system. The final payload is a comprehensive stealer designed to harvest a wide array of sensitive data.
The malware extracts credentials from system keyrings, saved passwords and cookies from Chromium and Firefox browsers, and SSH keys from common directories. It also specifically hunts for OAuth and API tokens. All stolen information is compressed and exfiltrated to an attacker-controlled server. Developers who may have installed these packages are urged to rotate all credentials and tokens immediately. This campaign underscores the critical need to verify package names and sources meticulously to avoid such typosquatting threats.
Read more...