Security researchers have identified a cluster of 10 malicious npm packages designed to deliver an information stealer that targets Windows, Linux and macOS systems, Socket security researcher Kush Pandya said.
The packages were uploaded to the npm registry on July 4, 2025, and together accumulated more than 9,900 downloads. The typosquatted names impersonated popular libraries and tools, including TypeScript, discord.js, ethers.js, nodemon, react-router-dom and zustand; the packages were published under names such as deezcord.js, dezcord.js, dizcordjs, etherdjs, ethesjs, ethetsjs, nodemonjs, react-router-dom.js, typescriptjs and zustand.js.
Once installed, the packages display a fake CAPTCHA and produce output that mimics legitimate installation messages while fingerprinting victims by IP address and sending that information to an external server (reported as 195.133.79[.]43), then dropping the main malware, Pandya said.
The malicious code is configured to run automatically via an npm postinstall hook. The hook launches an “install.js” script that detects the operating system and opens an obfuscated payload called “app.js” in a new terminal window (Command Prompt on Windows, GNOME Terminal or x-terminal-emulator on Linux, or Terminal on macOS); the separate window allows the payload to run independently and clears its output to reduce suspicion, researchers said.
The JavaScript payload uses multiple layers of obfuscation – including an XOR cipher with a dynamically generated key, URL encoding and hexadecimal and octal arithmetic – to resist analysis, and then downloads a 24MB PyInstaller-packaged information stealer. That stealer is reported to harvest credentials, authentication tokens and session cookies from browsers and other services, and to search for secrets across the infected system.
The final-stage binary includes platform-specific routines to extract credentials from the system keyring by leveraging the keyring npm library, compresses harvested data into a ZIP archive and exfiltrates it to the attacker-controlled server. Socket noted that targeting system keyrings can yield decrypted credentials for email clients, cloud sync tools, VPNs, SSH keys and other applications that integrate with the operating system.
The report did not identify who was behind the campaign or indicate whether the malicious packages have been removed from the registry.