Cybersecurity researchers have uncovered a significant threat within the npm ecosystem, identifying ten malicious packages designed to steal sensitive developer credentials. These packages, disguised as legitimate libraries, were downloaded thousands of times before being detected, posing a serious risk to developers on Windows, Linux, and macOS.

Key Takeaways

• Ten malicious npm packages were discovered, collectively downloaded nearly 10,000 times.

• The packages employed sophisticated obfuscation techniques and a fake CAPTCHA to evade detection.

• They targeted system keyrings, browsers, and authentication services to harvest credentials.

• The malware operated across Windows, Linux, and macOS, bypassing application-level security.

The Threat Unveiled

Researchers from Socket identified ten npm packages that were uploaded to the registry on July 4, 2025. These packages, which accumulated over 9,900 downloads, were designed to deliver an information-stealing payload. The malicious packages impersonated popular libraries through typosquatting, including variants of TypeScript, discord.js, ethers.js, nodemon, react-router-dom, and zustand.

How the Attack Works

Upon installation, these malicious packages execute a "postinstall" script that triggers a multi-stage attack. The malware first displays a fake CAPTCHA and mimics legitimate installation processes to avoid suspicion. It then fingerprints the victim's IP address and sends it to a remote server before downloading a 24MB information stealer. This stealer, packaged with PyInstaller, is capable of harvesting credentials from system keyrings, web browsers, and various authentication services across all major operating systems.

Bypassing Security Measures

A particularly concerning aspect of this attack is its ability to target system keyrings. These keyrings store decrypted credentials for critical services such as email clients, cloud storage tools, VPN connections, password managers, and SSH keys. By directly accessing the keyring, the malware bypasses application-level security, gaining direct access to sensitive corporate data, internal networks, and production databases.

The malware employs four layers of obfuscation, including XOR ciphers and hexadecimal arithmetic, to hide its payload and resist analysis. It also spawns a new terminal window during installation, which it quickly clears, to operate independently of the npm installation process and avoid developer scrutiny.

Mitigation and Prevention

Developers who may have installed any of the affected packages are advised to treat their systems as compromised. Immediate steps include disconnecting the system from the internet, revoking all potentially exposed credentials (including SSH keys, API tokens, cloud provider keys, and npm tokens), and changing all passwords. It is also recommended to wipe and rebuild the infected system, audit npm dependencies and lockfiles, review system logs for suspicious activity, and enable multi-factor authentication on all accounts.

The identified malicious packages are:

• deezcord.js

• dezcord.js

• dizcordjs

• etherdjs

• ethesjs

• ethetsjs

• nodemonjs

• react-router-dom.js

• typescriptjs

• zustand.js

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• 10 npm Packages Caught Stealing Developer Credentials on Windows, macOS, and Linux, The Hacker News.

• Dangerous npm packages are targeting developer credentials on Windows, Linux and Mac, TechRadar.