⚡THE CORTEX PROTOCOL
🏠Home🚨Threats🧩Patches📚Books🎬Mission Logs
🚨 CRITICALalert

Malicious NPM Packages Deliver Cross-Platform Infostealer to Developers

Category:Threat Alerts / Supply Chain
Socket discovered 10 malicious npm packages delivering infostealer malware across Windows, Linux, and macOS. What's sophisticated: 4 layers of obfuscation hide payloads, fake CAPTCHA appears legitimate, and attackers fingerprint victims by IP address. The malware downloads a 24MB PyInstaller-packaged stealer harvesting credentials from system keyrings, browsers, and authentication services. The packages were typosquatted (typescriptjs, deezcord.js, etherdjs, nodemonjs, react-router-dom.js, zustand.js) and accumulated 9,900+ downloads over 4 months. What's nasty: the malware serves different content to security researchers vs real victims, and it runs independently by launching in a new terminal window that immediately clears itself.

🎯CORTEX Protocol Intelligence Assessment

This demonstrates the maturation of npm supply chain attacks—moving beyond simple typosquatting to sophisticated multi-stage delivery with environment detection. The 4-month persistence shows detection gaps in npm's security scanning. Developer workstations are high-value targets: credentials stored here often have access to production systems, cloud infrastructure, and private repositories.

⚡Strategic Intelligence Guidance

  • Immediate response: audit dependencies for these packages (typescriptjs, deezcord.js, dezcord.js, etherdjs, ethesjs, ethetsjs, nodemonjs, react-router-dom.js, zustand.js), assume compromise if found.
  • Rotate all credentials stored on affected systems: SSH keys, cloud access keys, API tokens, OAuth tokens, repository access.
  • Implement npm package verification: use package-lock.json to pin versions, audit new dependencies before installation, scan with tools like Socket or npm audit.
  • Isolate build environments: use ephemeral CI/CD runners, restrict egress to prevent data exfiltration, minimize credential storage on developer workstations.

Vendors

npm

Threats

Typosquatting

Targets

DevelopersSoftware Supply Chain

Impact

Data Volume:24MB
Financial:9,900+

Tags

#npm#supply-chain#typosquatting#infostealer#malware#developer-targeting#credential-theft
Intelligence Source: Hackers are using these malicious npm packages to target developers | Oct 31, 2025
More stories in Supply Chain →