The malicious npm package @ibrahim1337/[email protected] (also affecting versions 1.5.0, 2.0.0, and 2.0.1) operates as a Windows x64 credential stealer targeting Chromium-family browsers (Chrome, Brave, Edge). It uses bytenode to execute obfuscated V8 bytecode that detects installed browsers, forcibly terminates their processes to unlock databases, and extracts the app-bound encrypted key from the browser's Local State file. It then uses a prebuilt native Windows addon (debugelevator.node) to bypass Chromium's App-Bound Encryption via a debug session, decrypting the master key. This key is used to read encrypted cookies and login data from browser SQLite databases, which are then saved in cleartext locally. The package contains no source for the native addon, uses obfuscation to hide its license check URL, and has minimal metadata, confirming its intent as a credential theft toolkit. There are no known exploits in the wild reported yet.

Successful installation and execution on a Windows system results in theft of live browser session cookies and saved website passwords from Chromium-based browsers. This compromises user credentials and session tokens, potentially allowing attackers to impersonate users on websites. The malicious package operates stealthily by obfuscation and uses a native binary to bypass Chromium security protections, increasing the risk of undetected credential theft.

No official patch or remediation is available for this malicious package. The best mitigation is to avoid installing or running the @ibrahim1337/baksen package or any unknown/untrusted npm packages. Users should verify package authenticity before installation and monitor for suspicious activity. Since this is a malicious package rather than a vulnerability in legitimate software, removal and system credential resets are recommended if exposure is suspected.