For the past four months, over 130 malicious NPM packages deploying information stealers have been collectively downloaded roughly 100,000 times, security researchers warn.
A total of 136 NPM packages engaging in the malicious behavior have been identified, as part of two different operations that have been active since July and August, respectively.
Only 10 packages were identified as part of the campaign that started in July, but they accumulated more than 9,900 downloads collectively by the time cybersecurity firm Socket found them.
The packages rely on NPM’s postinstall hook for the automatic execution of a script when npm install is run. The script identifies the victim’s operating system and launches a payload in a new terminal window, to run independently of the NPM install process.
The malicious code has multiple layers of obfuscation and, upon installation, displays a fake CAPTCHA prompt using Node’s readline interface. It then sends system information to a remote server and downloads and executes the final binary.
The payload is a 24 MB PyInstaller-packaged Python application that performs system reconnaissance and harvests sensitive information from various applications and services, including SQLite databases, JSON configuration files, text configuration files, and browsers.
The information stealer targets keyrings (which store credentials), browser cookies, authentication tokens, SSH private keys, and other sensitive information, which is compressed in ZIP files and sent to the attacker-controlled remote server.
A total of 126 packages were identified as part of the second campaign, which started in August. While two dozen packages were removed, roughly 80 remain active, Koi Security warns. The packages have over 86,000 downloads collectively.
Dubbed PhantomRaven, this campaign relies on hidden dependencies to deliver information stealer malware, while keeping the packages clean.
Abusing the remote dynamic dependencies (RDD) NPM feature that allows developers to use HTTP URLs as dependency specifiers and using a preinstall hook, the threat actor ensured that the malicious code was being fetched upon the packages’ installation from a remote server without triggering detection.
The preinstall script runs automatically, without warning the user or requiring their interaction, regardless of how deep in the dependency tree the package is.
Once executed, the malware searches for email addresses within the victim’s development environment, fingerprints their infrastructure searching for credentials and tokens providing access to repositories and workflows, and then proceeds to full system reconnaissance.
The malware was seen exfiltrating the data via HTTP GET requests, encoded in the URL, via HTTP POST requests, as a JSON, and via a WebSocket connection to the attacker’s server.
In both campaigns, the threat actors relied on typosquatting to deceive developers into executing their malicious packages. As part of PhantomRaven, the package names were carefully chosen to match LLM hallucinations, Koi says.
Developers asking AI assistants for package recommendations may be given the plausible names of non-existing packages. The threat actor behind the campaign created those packages and developers trusting the AI recommendations downloaded them.
“Vetting dependencies is necessary but no longer sufficient. Teams need visibility and controls that extend beyond ‘what’ is pulled from NPM or PyPI to cover ‘what happens next’ packaging, install scripts, build artifacts and runtime behavior. Postinstall hooks, repackaging steps, and terminal-spawned payloads are all legitimate mechanisms that attackers now weaponize, so they deserve attention,” DryRun Security CTO Ken Johnson said.
“Operationally that means treating installs and builds as untrusted execution: run package installs in ephemeral, isolated CI containers; require reproducible builds and signed artifacts; scan for postinstall hooks and typosquatted names before they reach CI; monitor outbound connections from build hosts; and lock down access to OS credential stores (or use vaults that don’t expose plaintext secrets). Add integrity checks and SBOMs into the pipeline so you can detect unexpected changes to archives and binaries early,” Johnson added.
Related: Supply Chain Attack Targets VS Code Extensions With ‘GlassWorm’ Malware
Related: NPM Infrastructure Abused in Phishing Campaign Aimed at Industrial and Electronics Firms
Related: GitHub Boosting Security in Response to NPM Supply Chain Attacks
