Malicious npm Packages Steal Developer Credentials
⚠️ Security researchers revealed 10 typosquatted npm packages uploaded on July 4, 2025, that install a cross-platform information stealer targeting Windows, macOS, and Linux. The packages impersonated popular libraries and use a postinstall hook to open a terminal, display a fake CAPTCHA, fingerprint victims, and download a 24MB PyInstaller stealer. The obfuscated JavaScript fetches a data_extracter binary from an attacker server, harvests credentials from browsers, system keyrings, SSH keys and config files, compresses the data into a ZIP, and exfiltrates it to the remote host.
