Cybersecurity researchers identified 10 malicious npm packages uploaded to the npm registry on July 4, 2025, which impersonate popular libraries such as TypeScript, discord.js, ethers.js, nodemon, react-router-dom, and zustand through typosquatting. These packages collectively amassed over 9,900 downloads. Upon installation, a postinstall hook triggers execution of an obfuscated JavaScript payload (app.js) in a new terminal window, separate from the npm install process, to avoid detection. The malware employs four layers of obfuscation techniques including XOR cipher with dynamic keys, URL encoding, and hexadecimal and octal arithmetic to hinder analysis. It first displays a fake CAPTCHA to appear legitimate and fingerprints victims by IP address. Subsequently, it downloads a large (24MB) PyInstaller-packaged information stealer binary from a remote server (195.133.79[.]43). This stealer targets Windows, Linux, and macOS systems and is capable of extracting sensitive credentials from system keyrings using the keyring npm library, browser-stored authentication tokens, session cookies, SSH keys, and configuration files. The stolen data includes credentials for critical services such as email clients (Outlook, Thunderbird), cloud storage sync tools (Dropbox, Google Drive, OneDrive), VPN clients (Cisco AnyConnect, OpenVPN), password managers, SSH passphrases, and database connection strings. The malware compresses the harvested data into a ZIP archive and exfiltrates it to the attacker’s server. By targeting system keyrings directly, the malware bypasses application-level protections and accesses decrypted credentials, enabling attackers to gain immediate access to corporate email, internal networks, and production databases. The attack requires no user interaction beyond package installation and no authentication, making it highly stealthy and effective in developer environments. The use of typosquatting leverages developer trust in popular npm packages, increasing the likelihood of infection.

For European organizations, this threat poses a significant risk due to the widespread use of npm packages in software development and the cross-platform nature of the malware affecting Windows, Linux, and macOS. The theft of credentials from system keyrings and browsers can lead to unauthorized access to corporate email, cloud storage, VPNs, internal networks, and production databases, potentially resulting in data breaches, intellectual property theft, and disruption of business operations. The malware’s ability to bypass application-level security by extracting decrypted credentials from system keyrings elevates the risk of lateral movement within networks and prolonged undetected access. Organizations relying on remote development environments or distributed teams are particularly vulnerable. The stealthy execution in separate terminal windows and obfuscation layers complicate detection by traditional endpoint security solutions. Given the malware’s targeting of developer tools, the threat could also compromise software supply chains, leading to downstream impacts on customers and partners. The exfiltration of sensitive credentials to a foreign IP address raises concerns about espionage and data sovereignty for European entities.

European organizations should implement strict controls on software supply chain security, including: 1) Enforce the use of verified and trusted npm packages by leveraging package signing and integrity verification tools such as npm’s built-in audit and third-party solutions like Snyk or GitHub Dependabot. 2) Employ automated scanning of dependencies for typosquatting and malicious packages before inclusion in projects. 3) Restrict developer permissions to install packages globally or from untrusted sources, and monitor postinstall scripts for suspicious behavior. 4) Use endpoint detection and response (EDR) tools capable of detecting obfuscated scripts and unusual terminal window spawning. 5) Implement network monitoring and firewall rules to detect and block outbound connections to suspicious IP addresses, such as 195.133.79[.]43. 6) Educate developers about the risks of typosquatted packages and encourage vigilance when installing dependencies. 7) Regularly audit system keyrings and credential stores for unauthorized access or anomalies. 8) Employ multi-factor authentication (MFA) and credential vaulting solutions to reduce the impact of stolen credentials. 9) Integrate runtime application self-protection (RASP) and behavioral analytics to detect anomalous process behavior during package installation. 10) Maintain up-to-date incident response plans that include supply chain compromise scenarios.