Security researchers uncovered a campaign involving typosquatted npm packages that execute malicious payloads on installation to steal credentials. This campaign used obfuscated multi-platform binaries, social engineering techniques, and IP fingerprinting to compromise systems before exfiltrating sensitive data. #npmTyposquatting #CredentialStealer
Keypoints
- The malicious npm packages mimic popular libraries like discord.js, ethers.js, and react-router-dom.
- The attack utilizes npm’s postinstall hook to automatically run a heavily obfuscated payload upon installation.
- The malware performs IP fingerprinting, conducts social engineering with fake CAPTCHAs, and displays legitimate-looking install messages.
- It downloads and executes a platform-specific credential-stealing binary called data_extracter, packaged via PyInstaller.
- Organizations are advised to remove malicious packages, reset credentials, enable multi-factor authentication, and monitor network activity for IOC indicators.
Read More: https://thecyberexpress.com/typosquatted-npm-packages-credential-stealer/