Highlights of Our CISO Dinner
Upgrading struggling vulnerability management programs to Threat Exposure Management, with Host, CISO Al Lindseth formerly from Plains All American Pipeline and PWC - 6 minute podcast
A sophisticated supply-chain attack has been uncovered involving ten malicious npm packages published by the threat actor andrew_r1, targeting Windows, Linux, and macOS developers worldwide. Disguised as legitimate libraries like TypeScript and Discord, these typosquatted packages used deceptive tactics such as fake CAPTCHAs, realistic installation prompts, and heavily obfuscated payloads to perform cross-platform credential theft. The campaign achieved over 9,900 downloads before removal, exploiting npm’s postinstall feature to execute hidden scripts and deploy a 24MB information stealer capable of harvesting system, browser, and authentication credentials. This campaign highlights the rising threat of open-source supply-chain compromises, where a single npm install can silently exfiltrate critical developer data.
Between July 4, 2025, and the following months, ten malicious npm packages were discovered to be part of a multi-stage credential theft operation. Each package employed typosquatting to mimic popular libraries and leveraged npm’s postinstall scripts to trigger immediate malicious execution.
The infection chain began with social engineering — once installed, users were shown a fake CAPTCHA screen that transmitted the victim’s IP address to the attacker’s server for fingerprinting and selective targeting. Upon CAPTCHA completion, the malware downloaded a 24MB cross-platform stealer built using PyInstaller, capable of running natively across Windows, Linux, and macOS.
The payload executed through multiple obfuscation layers — including XOR-based encryption, dynamic keying, and switch-based control-flow confusion — to evade detection and hinder analysis. Once active, the stealer harvested sensitive data from:
The collected information was then archived into ZIP files and exfiltrated via C2 channels to the attacker’s infrastructure. The combination of fake user interactions, cross-OS functionality, and highly obfuscated scripts made this one of the most advanced npm-based campaigns of 2025, underscoring the need for vigilance in open-source dependency management.
package.json for any postinstall or install scripts that open terminals, download binaries, or execute encoded JavaScript — these are red flags.Malicious Packages:
deezcord.js, dezcord.js, dizcordjs, etherdjs, ethesjs, ethetsjs, nodemonjs, react-router-dom.js, typescriptjs, zustand.js
IPv4:
195.133.79.43
SHA256:
80552ce00e5d271da870e96207541a4f82a782e7b7f4690baeca5d411ed71edb
Email:
parvlhonor@gmx[.]com
| Tactic | Technique | Description |
|---|---|---|
| Initial Access | T1195 / T1195.002 | Supply Chain Compromise / Compromise Software Supply Chain |
| Execution | T1204 / T1204.002 / T1059 / T1059.007 | User Execution / Malicious File / Command & Scripting Interpreter (JavaScript) |
| Defense Evasion | T1027 / T1027.002 / T1036 | Obfuscated Files or Information / Software Packing / Masquerading |
| Credential Access | T1555 / T1555.001 / T1555.003 / T1552 / T1552.001 / T1552.004 | Credentials from Password Stores, Web Browsers, and Files |
| Discovery | T1082 / T1083 / T1614 | System and Directory Discovery / System Location Discovery |
| Collection | T1560 / T1560.001 | Archive Collected Data / Archive via Utility |
| Exfiltration | T1041 | Exfiltration Over Command and Control Channel |
| Command and Control | T1071 / T1071.001 | Application Layer Protocol / Web Protocols |
Full MITRE Mapping:
attack.mitre.org
Report Date: October 31, 2025 | Source: Hive Pro Threat Advisory (TA2025334)
Get through updates and upcoming events, and more directly in your inbox