Malicious NPM Packages Drop Infostealer Across Windows, Linux, and macOS
Category:Threat Intelligence / Malware
Researchers discovered ten malicious npm packages mimicking popular libraries such as TypeScript, React Router, and Discord.js. These packages deploy an infostealer payload built with PyInstaller, stealing credentials and SSH keys across major OS platforms. Over 10,000 downloads were recorded before removal.
CORTEX Protocol Intelligence Assessment
Business Impact: Compromised developer systems could lead to code repository and credential theft, posing software supply chain risks. Technical Context: Attackers used typosquatting and fake CAPTCHA loaders to obfuscate payload delivery.
Strategic Intelligence Guidance
- Verify npm package authenticity before installation.
- Rotate credentials stored in local environments.
- Implement software composition analysis (SCA) tools.
- Monitor developer endpoints for unauthorized npm installations.
Vendors
Threats
Targets
Intelligence Source: Malicious NPM packages fetch infostealer for Windows, Linux, macOS | Oct 30, 2025