Rise of Typosquatted NPM Packages: A New Threat to Developers
Introduction to Typosquatting in NPM
In a worrying trend for the software development community, security researchers recently uncovered a sophisticated campaign involving typosquatted NPM packages. These malicious packages were designed to execute automatically upon installation, aimed at stealing user credentials across multiple platforms. Initially discovered on July 4, 2025, these packages remained undetected for over four months, amassing more than 9,900 downloads before being flagged for removal by Socket, a security entity actively monitoring the NPM registry.
The Architect of the Attack
The perpetrator behind this campaign goes by the name andrew_r1, using the email address parvlhonor@gmx[.]com. This individual published ten packages that cleverly mimic well-known libraries, such as dizcordjs, which was identified as “known malware” by Socket’s AI Scanner. Here’s a brief list of the typosquatted packages:
- typescriptjs (similar to TypeScript)
- deezcord.js, dizcordjs, dezcord.js (all variants of discord.js)
- etherdjs, ethesjs, ethetsjs (mimicking ethers.js)
- nodemonjs (a copy of nodemon)
- react-router-dom.js (copying react-router-dom)
- zustand.js (a play on zustand)
Execution Mechanism of the Malicious Packages
What makes this campaign particularly concerning is its use of the npm postinstall lifecycle hook. This mechanism allows the packages to trigger malicious actions automatically the moment a user runs npm install. Socket uncovered examples of the malicious package.json file that executed node install.js, creating a series of platform-specific behaviors. This includes spawning new terminal windows on Windows, Linux, and macOS, effectively running the malicious payload discreetly and avoiding immediate detection by developers.
The code within app.js is intricately obfuscated, utilizing various layers designed to thwart both static analysis and automated scanning tools. It employs eval-based decoding, XOR decryption, URL encoding, and complex control-flow techniques, making it difficult for security measures to recognize the underlying threat.
Multi-Stage Approach to Credential Theft
As part of its operations, the malicious package deploys a multi-stage workflow for credential theft. After installation, it displays a fake CAPTCHA prompt via Node’s readline, intending to simulate legitimate bot protection. This adds an extra layer of deception, convincing users that they are engaging with a secure process.
Next, it sends the victim’s IP address to an attacker-controlled server, aiding in profiling and filtering potential targets based on geography. Once the user interacts with the fake CAPTCHA, the malicious installer downloads a platform-specific binary named data_extracter, which is reported to be a hefty 24MB PyInstaller package—fully capable of running without an external Python interpreter.
The Functionality of the Credential Stealer
According to Socket’s analysis, the data_extracter binary serves as a comprehensive credential thief. It systematically scans the victim’s file system, targeting directories like ~/.ssh/, ~/.aws/credentials, and ~/.docker/config.json—places where critical credentials are commonly stored. Moreover, it aims to extract session cookies from browser SQLite databases and gain access to system keyrings like Windows Credential Manager and macOS Keychain.
This malicious binary is also equipped to harvest OAuth and JWT tokens, providing long-term access capabilities even after passwords are changed. The stolen data is compressed and transmitted to the attacker’s infrastructure, indicating a well-structured operation focused on maximizing the value of the exfiltrated credentials.
Recommended Measures for Developers
Given the sophistication of this attack, Socket has made critical recommendations to mitigate risks:
- Assume any system that installed one of the ten typosquatted packages is fully compromised.
- Remove the malicious packages and request their takedown from the NPM registry.
- Reset all credentials stored within system keyrings and browser password managers, and revoke/rotate sensitive keys.
- Enable multi-factor authentication wherever feasible and conduct audits of access logs for unusual activity.
- Investigate VPN/firewall logs for connections to the identified IP address linked to the campaign.
Conclusion
This incident underscores that typosquatted packages remain an effective attack vector for deploying credential stealers. Developers relying on third-party packages must adopt enhanced due diligence by auditing their dependencies, implementing stricter vetting processes, and treating any unexpected installations as potential threats. As security threats evolve, so too must the strategies employed by developers to safeguard their environments from malicious actors.
