Ten malicious npm packages that are intended to transmit an information stealer targeting Windows, Linux, and macOS systems have been found by cybersecurity researchers.

“The malware uses four layers of obfuscation to hide its payload, displays a fake CAPTCHA to appear legitimate, fingerprints victims by IP address, and downloads a 24MB PyInstaller-packaged information stealer that harvests credentials from system keyrings, browsers, and authentication services across Windows, Linux, and macOS,”

Socket security researcher Kush Pandya said.

Several typosquatted packages that mimicked well-known npm modules like TypeScript, discord.js, ethers.js, nodemon, react-router-dom, and zustand were used in the multi-stage credential theft operation.

After installation, the malware presents a phony CAPTCHA prompt and produces output that looks real and imitates the installation of a genuine package, creating the illusion that the setup procedure is going as planned.

Nevertheless, the package records the victim’s IP address in the background, transmits it to a remote server (“195.133.79[.]43”), and then drops the primary malware.

A postinstall hook in each package initiates the malicious functionality automatically upon installation, starting a script called “install.js” that determines the victim’s operating system and launches an obfuscated payload (“app.js”) in a new Command Prompt (Windows), GNOME Terminal or x-terminal-emulator (Linux), or Terminal (macOS) window.

“By spawning a new terminal window, the malware runs independently of the npm install process,”

Pandya noted.

“Developers who glance at their terminal during installation see a new window briefly appear, which the malware immediately clears to avoid suspicion.”