NPM packages Causes Havoc

October 30, 2025 Faeem BLOGS 0

Ten typosquatting npm packages were published that execute an obfuscated loader at postinstall, display a fake ASCII CAPTCHA, fingerprint victims, download a 24 MB PyInstaller-packaged infostealer, and exfiltrate credentials, browser data, SSH keys, and tokens to an attacker-controlled server at 195.133.79.43. The packages have nearly 10,000 downloads and target Windows, Linux, and macOS systems.

Affected Packages and Indicators of Compromise

  • Malicious package names
    • typescriptjs, deezcord.js, dizcordjs, dezcord.js, etherdjs, ethesjs, ethetsjs, nodemonjs, react-router-dom.js, zustand.js
  • C2 / Exfiltration host
    • 195.133.79.43
  • Behavioral indicators
    • Unexpected terminal window launched during npm install
    • ASCII “CAPTCHA” displayed in terminal
    • app.js executed outside normal install log; terminal quickly cleared
    • Outbound connections to unusual domains or IPs shortly after install
    • Creation of temporary staging archives in /var/tmp or /usr/tmp
    • New or modified files launched from install directories or temp paths
  • Data types at risk
    • Windows Credential Manager, macOS Keychain, Linux SecretService/libsecret/KWallet
    • Chromium and Firefox profile data (saved passwords, cookies, sessions)
    • SSH private keys in common locations (~/.ssh)
    • OAuth, JWT, API tokens stored in files or environment variables

Immediate Remediation Steps for Incident Response

  1. Isolate affected hosts
    • Disconnect compromised machines from the network or limit egress while investigating.
  2. Stop persistence and running payloads
    • Search for and terminate processes spawned from npm installs and any suspicious binaries in temp paths.
    • Remove the downloaded PyInstaller binaries and the malicious npm packages from projects and global installs.
  3. Rotate credentials and secrets
    • Immediately rotate all credentials, API keys, tokens, and SSH keys that could have been present on affected hosts.
    • Invalidate sessions for affected accounts (web consoles, cloud providers, Git providers, CI systems).
  4. Rebuild or remediate hosts
    • For high-assurance recovery, rebuild compromised systems from known-good images. If rebuild is not feasible, perform comprehensive forensic cleanup and verification.
  5. Forensic collection
    • Preserve memory, disk images, npm logs, and network logs for investigation.
    • Collect npm install logs, shell histories, timestamps of package installs, and files under /var/tmp or /usr/tmp.
  6. Notify stakeholders
    • Inform security team, application owners, and any affected third parties. Provide scope, assets impacted, and required credential rotations.

Detection and Hunting Guidance

  • Query logs for npm installs around July 4 and onward for the listed package names and for unexpected postinstall activity.
  • Network detection
    • Alert on outbound connections to 195.133.79.43 and to newly observed download hosts.
    • Watch for large HTTP(S) downloads ~24 MB immediately after npm install events.
  • Endpoint detection
    • Look for spawned terminals and app.js executions during npm install processes.
    • Hunt for PyInstaller-extracted binaries, unusual executables in temp directories, and compressed archives created under /var/tmp or /usr/tmp.
    • Scan endpoints for access to keyring stores, browser profile access, or attempts to read ~/.ssh.
  • Log sources to check
    • Endpoint telemetry, antivirus/EPP alerts, EDR process trees, network proxies, IDS/IPS, SIEM, npm and CI logs.

Short-Term and Long-Term Preventive Controls

Short-Term

  • Block the malicious package names and known download IPs at DNS/proxy/firewall level.
  • Add detection rules to EDR for npm postinstall spawning terminals and execution of external app.js files.
  • Force multi-factor authentication and session revocation across developer tooling and cloud consoles.

Long-Term

  • Implement allowlists for packages used in build and runtime environments; require vetted package publishers for production builds.
  • Enforce SBOM and supply-chain scanning in CI pipelines; block installs of packages flagged by supply-chain scanners.
  • Require package signature verification or prefer scoped packages from trusted organizations.
  • Harden developer workstations: least privilege for dev accounts, restrict ability to execute binaries from temp directories, and enable advanced EDR/credential protection.
  • Educate developers about typosquatting risks and safe package verification (verify publisher, check stars/weekly downloads, inspect postinstall scripts before installing).

Summary

Ten npm typosquatting packages were found dropping an obfuscated loader that fetches a 24 MB PyInstaller infostealer targeting Windows, Linux, and macOS, exfiltrating keyrings, browser credentials, SSH keys, and tokens to 195.133.79.43. If you install npm packages manually or via CI, double-check package names and publishers, scan install scripts, and rotate exposed credentials immediately.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.