10 npm Packages Caught Stealing Developer Credentials on Windows, macOS, and Linux

Security researchers recently discovered that ten malicious npm packages were uploaded to the public npm registry. These packages were designed to look like legitimate ones but had slightly altered names, a trick known as typosquatting. The goal was to make developers accidentally install them, allowing attackers to secretly execute malicious code during the installation process on Windows, macOS, and Linux systems.

When these fake packages were installed, they automatically ran hidden code without any user action. That code downloaded a large 24 MB file built using PyInstaller, which contained an information-stealing malware. Researchers found that this file was heavily obfuscated using multiple layers to hide its true purpose and to make detection harder for antivirus and security tools.

Once the malicious file was executed, it displayed a fake CAPTCHA window to make everything appear normal. This was done to distract the victim and make the process look legitimate. In the background, the malware collected sensitive information such as browser passwords, system keyrings, cloud access tokens, SSH keys, and CI/CD credentials. All of this data was then secretly sent to remote servers controlled by the attackers.

According to reports, these ten malicious packages were downloaded nearly ten thousand times before they were detected and removed. While that might not sound like a huge number, it’s extremely serious because most of those downloads likely happened in developer environments. That means the attackers gained access to important development tools, private repositories, and even company cloud infrastructure.

Experts explained that the biggest risk in such attacks is the automatic execution of code during the npm installation process. Developers often trust open-source libraries and rarely double-check dependencies. This trust was exactly what the attackers exploited. Once installed, the malicious scripts didn’t need any user action they simply ran, collected credentials, and compromised systems silently.

Security researchers have strongly advised developers to take immediate precautions. Anyone who has recently installed unknown or suspicious npm packages should assume their credentials may be exposed. Developers are urged to rotate all access tokens, change passwords, and remove any unauthorized scripts or workflows in their CI/CD pipelines. Checking logs and monitoring for unusual activity are also highly recommended steps.

To stay safe in the future, developers should regularly audit their dependencies and look out for typosquatted package names. It’s also important to pin trusted versions of packages, use automated tools to scan for malicious dependencies, and store credentials securely. Using two-factor authentication for npm, GitHub, and cloud services can further reduce risks if credentials are stolen.

This incident once again highlights how the open-source ecosystem can be targeted by attackers to compromise the software supply chain. It shows that even a small or unnoticed dependency can open the door for major security breaches. Developers need to stay alert, verify sources carefully, and treat every new package with caution to prevent such attacks in the future.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news