Ddos 
A recent report from FortiGuard Labs has uncovered a series of malicious NPM packages designed to steal sensitive information from compromised systems. These packages, created by a threat actor using the names tommyboy_h1 and tommyboy_h2, specifically target PayPal users.
The attackers employed a clever tactic to evade detection: using PayPal-related names for the malicious packages. According to the report, “By including ‘PayPal’ in the name of the malicious packages, such as oauth2-paypal and buttonfactoryserv-paypal, the attackers also create a false sense of legitimacy, tricking developers into installing them. ” This strategy increases the likelihood of developers inadvertently installing the malicious code.
The malicious packages use a “preinstall hook” to automatically execute a script before the package installation is complete. This allows the script to run without being detected by users or security tools. The script’s primary function is to collect system data, including usernames, working directory paths, and hostnames.
This stolen information is then encoded and obfuscated to further conceal the malicious activity. As the report states, “The code collects and exfiltrates system data, such as usernames and directory paths, which can then be used to target PayPal accounts or be sold for fraudulent purposes. ” The exfiltrated data is sent to an external server controlled by the attacker, using dynamically generated URLs to evade blocking.
FortiGuard Labs’ analysis suggests that the threat actors behind tommyboy_h1 and tommyboy_h2 are likely the same individual, given the similarity in the malicious code and the timing of the package releases. The report emphasizes the potential impact of these attacks, noting, “Users would lose their private info without knowing it. “
Donate