Typosquatted npm Packages Execute Stealthy Credential Theft Operation

Summary

A sophisticated supply-chain attack has been uncovered involving ten malicious npm packages published by the threat actor andrew_r1, targeting Windows, Linux, and macOS developers worldwide. Disguised as legitimate libraries like TypeScript and Discord, these typosquatted packages used deceptive tactics such as fake CAPTCHAs, realistic installation prompts, and heavily obfuscated payloads to perform cross-platform credential theft. The campaign achieved over 9,900 downloads before removal, exploiting npm’s postinstall feature to execute hidden scripts and deploy a 24MB information stealer capable of harvesting system, browser, and authentication credentials. This campaign highlights the rising threat of open-source supply-chain compromises, where a single npm install can silently exfiltrate critical developer data.

Attack Details

Between July 4, 2025, and the following months, ten malicious npm packages were discovered to be part of a multi-stage credential theft operation. Each package employed typosquatting to mimic popular libraries and leveraged npm’s postinstall scripts to trigger immediate malicious execution.

The infection chain began with social engineering — once installed, users were shown a fake CAPTCHA screen that transmitted the victim’s IP address to the attacker’s server for fingerprinting and selective targeting. Upon CAPTCHA completion, the malware downloaded a 24MB cross-platform stealer built using PyInstaller, capable of running natively across Windows, Linux, and macOS.

The payload executed through multiple obfuscation layers — including XOR-based encryption, dynamic keying, and switch-based control-flow confusion — to evade detection and hinder analysis. Once active, the stealer harvested sensitive data from:

• System keyrings (VPN, email, and cloud storage credentials)
• Web browsers (passwords, cookies, and session tokens)
• Authentication services (OAuth, JWT tokens)

The collected information was then archived into ZIP files and exfiltrated via C2 channels to the attacker’s infrastructure. The combination of fake user interactions, cross-OS functionality, and highly obfuscated scripts made this one of the most advanced npm-based campaigns of 2025, underscoring the need for vigilance in open-source dependency management.

Recommendations

1. Immediately Remove Malicious Packages:
   Uninstall any affected npm packages or suspicious dependencies with typosquatted names such as typescriptjs, react-router-dom.js, or zustand.js.
2. Verify Package Authenticity:
   Always review publisher details, package names, and download counts before installation. Look out for slight naming variations mimicking trusted libraries.
3. Inspect Post-install Scripts:
   Examine package.json for any postinstall or install scripts that open terminals, download binaries, or execute encoded JavaScript — these are red flags.
4. Monitor System Behavior:
   Watch for unusual network activity, unexpected processes, or new executables following npm installs that may indicate compromise.
5. Enhance Endpoint Security:
   Deploy EDR/NGAV solutions with behavioral detection and machine learning to identify obfuscated payloads and credential theft attempts.

Indicators of Compromise (IOCs)

Malicious Packages:
deezcord.js, dezcord.js, dizcordjs, etherdjs, ethesjs, ethetsjs, nodemonjs, react-router-dom.js, typescriptjs, zustand.js

IPv4:
195.133.79.43

SHA256:
80552ce00e5d271da870e96207541a4f82a782e7b7f4690baeca5d411ed71edb

Email:
parvlhonor@gmx[.]com

MITRE ATT&CK TTPs

Full MITRE Mapping:
attack.mitre.org

References

• Socket.dev: 10 npm Typosquatted Packages Deploy Credential Harvester

Report Date: October 31, 2025 | Source: Hive Pro Threat Advisory (TA2025334)