Threat Research

10 npm Typosquatted Packages Deploy Multi-Stage Credential Harvester

SocketDev

Socket Threat Research Team discovered 10 malicious typosquatted npm packages that use a multi-stage, cross-platform credential stealer distributed via npm postinstall hooks and a 24MB PyInstaller binary. The campaign uses four layers of JavaScript obfuscation, a fake CAPTCHA social-engineering step, IP fingerprinting, and exfiltration to C2 server 195[.]133[.]79[.]43. #data_extracter #195.133.79.43

Keypoints

  • Ten typosquatted npm packages published July 4, 2025 (e.g., deezcord.js, dezcord.js, dizcord.js) accumulated over 9,900 downloads and remain live; Socket petitioned npm for removal.
  • Malicious packages use npm’s postinstall hook to automatically execute install.js, which spawns a new terminal and launches an obfuscated app.js to evade detection.
  • app.js employs four obfuscation layers: eval self-decoding wrapper, XOR decryption with dynamic key, URL encoding, and complex control-flow obfuscation to frustrate static analysis.
  • Social engineering displays a fake ASCII CAPTCHA and fake package installation messages to appear legitimate and delay suspicion; any user input triggers payload download.
  • Malware fingerprints victims by sending IP to http://195[.]133[.]79[.]43/get_current_ip, then downloads a platform-specific PyInstaller binary (data_extracter) that harvests credentials across Windows, Linux, and macOS.
  • data_extracter (SHA256 80552ce00e5d271da870e96207541a4f82a782e7b7f4690baeca5d411ed71edb) performs recursive filesystem scans, extracts browser cookies/passwords, system keyrings, SSH keys, cloud credentials, OAuth/JWT tokens, and packages them into compressed archives for exfiltration.
  • Recommendations: assume compromise if packages installed, rotate credentials and tokens, enable MFA, audit logs for accesses and connections to 195[.]133[.]79[.]43, and use dependency-scanning tools (Socket apps, CLI, Firewall) to block malicious packages.

MITRE Techniques

  • [T1195.002 ] Supply Chain Compromise – Using npm registry and typosquatted package names to distribute malicious code via legitimate developer workflows. Quote: ’10 malicious npm packages that deploy a multi-stage credential theft operation.’
  • [T1027 ] Obfuscated Files or Information – Four layers of obfuscation in app.js to evade static analysis. Quote: ‘The app.js file contains heavily obfuscated JavaScript designed to evade static analysis.’
  • [T1027.002 ] Software Packing – PyInstaller packaging of the Python information stealer to hide functionality and avoid dependency detection. Quote: ‘The downloaded data_extracter binary … is a 24MB PyInstaller-packaged Python application.’
  • [T1204.002 ] User Execution: Malicious File – Fake CAPTCHA prompt and terminal interaction to prompt user input that triggers binary download and execution. Quote: ‘Upon installation, the malware displays a fake CAPTCHA prompt … Once the victim enters any text … the malware immediately downloads and executes the data_extracter binary.’
  • [T1059.007 ] Command and Scripting Interpreter: JavaScript – Use of Node.js scripts (postinstall, install.js, app.js) to execute malicious logic. Quote: ‘The package.json configuration ensures the malicious payload runs immediately after installation: … “postinstall”: “node install.js”‘
  • [T1059.004 ] Command and Scripting Interpreter: Unix Shell – Spawning new terminal windows and executing shell commands on Linux/macOS to run payloads. Quote: ‘exec(‘gnome-terminal — bash -c “node app.js”‘, …)’
  • [T1059.006 ] Command and Scripting Interpreter: Python – Executing a PyInstaller-packaged Python binary (data_extracter) to perform credential theft. Quote: ‘The downloaded data_extracter binary … is a 24MB PyInstaller-packaged Python application.’
  • [T1555 ] Credentials from Password Stores – Extracting credentials from system keyrings (Keychain, Credential Manager, SecretService). Quote: ‘The data_extracter binary includes the keyring library with platform-specific backend implementations.’
  • [T1555.003 ] Credentials from Web Browsers – Extracting saved passwords and cookies from browsers (Firefox, Chromium-based). Quote: ‘Browser session cookies … Saved passwords from browser password managers.’
  • [T1555.001 ] Keychain – Targeting macOS Keychain and other OS keyring APIs to harvest stored credentials. Quote: ‘macOS: Keychain Services API’
  • [T1539 ] Steal Web Session Cookie – Harvesting browser session cookies to hijack authenticated sessions. Quote: ‘Browser cookies are particularly valuable because they contain active session tokens.’
  • [T1552.001 ] Unsecured Credentials: Credentials In Files – Searching configuration files like ~/.aws/credentials, ~/.kube/config, .env files for stored credentials. Quote: ‘Configuration files in home directory (~/.aws/credentials, ~/.kube/config, ~/.docker/config.json)’
  • [T1552.004 ] Unsecured Credentials: Private Keys – Locating SSH private keys in ~/.ssh to enable repository and server access. Quote: ‘SSH key directories (~/.ssh/ containing id_rsa, id_ed25519)’
  • [T1071.001 ] Application Layer Protocol: Web Protocols – Using HTTP to communicate with C2 server and download payloads. Quote: ‘http://195[.]133[.]79[.]43/get_current_ip’ and ‘http://195[.]133[.]79[.]43/data_extracter’
  • [T1041 ] Exfiltration Over C2 Channel – Transmitting compressed archives of harvested credentials back to the attacker’s server. Quote: ‘This compressed archive is then transmitted back to the threat actor’s server at 195[.]133[.]79[.]43’
  • [T1560.001 ] Archive Collected Data: Archive via Utility – Creating ZIP archives and staging files in /var/tmp or /usr/tmp before exfiltration. Quote: ‘ZIP file creation and compression for collected credentials … Temporary file creation in /var/tmp, /usr/tmp for staging stolen data’
  • [T1027.009 ] Embedded Payloads – JavaScript includes embedded, URL-encoded and XOR-encrypted payload strings requiring runtime decoding. Quote: ‘The payload string is URL-encoded (%5E%0A%03%03%0D%15…), requiring URI decoding before XOR decryption.’
  • [T1140 ] Deobfuscate/Decode Files or Information – The malware performs runtime decoding and deobfuscation to reveal and execute payloads. Quote: ‘The payload only reveals itself at runtime through multiple evaluation steps.’
  • [T1082 ] System Information Discovery – Detecting platform via os.platform() to select appropriate binary. Quote: ‘install.js script detects the victim’s operating system and launches the obfuscated payload in a new terminal window.’
  • [T1083 ] File and Directory Discovery – Recursive filesystem scanning to locate browser profiles, SSH keys, and config files. Quote: ‘The data_extracter binary performs extensive file system operations to locate and extract credentials from common storage locations.’

Indicators of Compromise

  • [Malicious npm Packages ] typosquatted packages published July 4, 2025 – deezcord.js, dezcord.js, dizcord.js (and 7 more packages listed in article)
  • [Network Infrastructure ] C2 and payload host – 195[.]133[.]79[.]43 (endpoints include /get_current_ip and /data_extracter)
  • [File Hash ] Malware binary SHA256 – 80552ce00e5d271da870e96207541a4f82a782e7b7f4690baeca5d411ed71edb (data_extracter)
  • [File Name ] Downloaded payload binary – data_extracter (PyInstaller-packaged 24MB executable)
  • [Threat Actor Identifiers ] npm alias and email – npm alias: andrew_r1; email: parvlhonor@gmx[.]com

Read more: https://socket.dev/blog/10-npm-typosquatted-packages-deploy-credential-harvester

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint