Skuld Infostealer Returns to npm with Fake Windows Utilities and Malicious Solara Development Packages

MITRE Techniques

• [T1195.002] Supply Chain Compromise – Delivered Skuld via malicious npm packages and typosquatting to compromise the software supply chain (‘typosquatting’ / ‘disguised malicious packages’).
• [T1059.007] Command and Scripting Interpreter: JavaScript – Malicious behavior implemented in package JavaScript that downloads and executes a binary (‘const fetch = require(“node-fetch”)’ / ‘exec(exeFilePath)’).
• [T1036.005] Masquerading: Match Legitimate Name or Location – Packages mimicked legitimate libraries and Windows utilities to deceive developers (‘masquerading as Windows-related utilities’ / ‘posed their malicious package as a legitimate library’).
• [T1027.013] Obfuscated Files or Information: Encrypted/Encoded File – Code was obfuscated using Obfuscator.io to evade detection (’employed Obfuscator.io’ / ‘deobfuscated, defanged, and annotated’).
• [T1546.016] Event Triggered Execution: Installer Packages – The package installation triggered fetching and execution of a downloaded executable (‘silently fetched and executed the malware under the filename download.exe’).
• [T1555.003] Credentials from Password Stores: Credentials from Web Browsers – Skuld targeted browsers to steal stored credentials and cookies (‘steal passwords, cookies, sensitive files, and browsing history from Chromium and Gecko-based browsers’).
• [T1552.001] Unsecured Credentials: Credentials In Files – Campaign likely exposed tokens and credentials present in files or dev environments (‘Credentials, tokens, and other sensitive data were likely stolen’).
• [T1567.004] Exfiltration Over Web Service: Exfiltration Over Webhook – Data exfiltration performed via Discord and Telegram webhooks (‘Discord webhook’ / provided webhook URLs in IOCs).