10 npm Typosquatted Packages Deploy Multi-Stage Credential Harvester

Socket's Threat Research Team uncovered a sophisticated malware operation involving 10 malicious npm packages designed for cross-platform credential theft. The malware, obfuscated through multiple layers, employs social engineering tactics such as displaying fake CAPTCHAs to deceive users into believing the packages are legitimate. It exploits npm's postinstall hook to execute automatically upon installation, harvesting credentials from system keyrings, browsers, and authentication services across Windows, Linux, and macOS. The packages mimic popular libraries through typosquatting, and the operation has accumulated over 9,900 downloads. The malware further employs IP fingerprinting to track victims and downloads a PyInstaller-packaged binary, data_extracter, which efficiently extracts and exfiltrates sensitive information. Organizations are advised to audit their dependencies for these packages, reset credentials, and deploy protective tools like Socket's GitHub app and CLI to mitigate such supply chain attacks.