Recently, cybersecurity researchers disclosed two sophisticated npm malware campaigns targeting developer credentials across Windows, macOS, and Linux systems. Socket researchers discovered 10 malicious packages with over 9,900 downloads, while Koi Security identified an ongoing campaign dubbed PhantomRaven involving 126 infected packages with 86,434 downloads. Both campaigns use advanced evasion techniques: PhantomRaven exploits Remote Dynamic Dependencies and AI-driven “slopsquatting,” while the Socket-discovered malware uses four layers of obfuscation to harvest credentials from system keyrings, browsers, and authentication services.
You get more details here: 10 npm Packages Caught Stealing Developer Credentials on Windows, macOS, and Linux
CTO of DryRun Security, Ken Johnson had this comment:
“Attackers are getting better at blending in. The fake “nodejs-smtp” package posing as Nodemailer and a swarm of ten typosquatted npm packages prove it. These weren’t one-off prank packages tossed onto the registry, they behaved like legitimate libraries while performing post-install tricks that turn normal developer workflows into an attack surface.
Both incidents share the same playbook: abuse the packaging and install steps. In the nodejs-smtp case the attacker unpacked and modified an app archive and repackaged it; in the recent npm cluster the payload is triggered automatically via postinstall hooks, spawns a separate terminal to run an obfuscated loader, shows a fake CAPTCHA and then pulls a large PyInstaller stealer. That stealer targets system keyrings, browsers, SSH keys and other persisted secrets on Windows, Linux and macOS, exactly the kinds of credentials developers and CI systems rely on every day.
Vetting dependencies is necessary but no longer sufficient. Teams need visibility and controls that extend beyond “what” is pulled from npm or PyPI to cover “what happens next” packaging, install scripts, build artifacts and runtime behavior. Postinstall hooks, repackaging steps, and terminal-spawned payloads are all legitimate mechanisms that attackers now weaponize, so they deserve attention.
Operationally that means treating installs and builds as untrusted execution: run package installs in ephemeral, isolated CI containers; require reproducible builds and signed artifacts; scan for postinstall hooks and typosquatted names before they reach CI; monitor outbound connections from build hosts; and lock down access to OS credential stores (or use vaults that don’t expose plaintext secrets). Add integrity checks and SBOMs into the pipeline so you can detect unexpected changes to archives and binaries early.
In short: shrink the implicit trust you place in the build and install process. The boundary that used to stop at “dependency X is okay” has moved and attackers are now weaponizing packaging and install-time behavior to reach secrets and persistence. If you only scan package names and static source, you’ll miss the parts of the pipeline where real compromise happens.”
Developers are a key part of security. Thus they need to make sure everything that they do is focused on putting out code that is secure by default. These days it’s a requirement to do so.
Related
This entry was posted on October 30, 2025 at 1:25 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
npm malware campaign stealing developer credentials across platforms
Recently, cybersecurity researchers disclosed two sophisticated npm malware campaigns targeting developer credentials across Windows, macOS, and Linux systems. Socket researchers discovered 10 malicious packages with over 9,900 downloads, while Koi Security identified an ongoing campaign dubbed PhantomRaven involving 126 infected packages with 86,434 downloads. Both campaigns use advanced evasion techniques: PhantomRaven exploits Remote Dynamic Dependencies and AI-driven “slopsquatting,” while the Socket-discovered malware uses four layers of obfuscation to harvest credentials from system keyrings, browsers, and authentication services.
You get more details here: 10 npm Packages Caught Stealing Developer Credentials on Windows, macOS, and Linux
CTO of DryRun Security, Ken Johnson had this comment:
“Attackers are getting better at blending in. The fake “nodejs-smtp” package posing as Nodemailer and a swarm of ten typosquatted npm packages prove it. These weren’t one-off prank packages tossed onto the registry, they behaved like legitimate libraries while performing post-install tricks that turn normal developer workflows into an attack surface.
Both incidents share the same playbook: abuse the packaging and install steps. In the nodejs-smtp case the attacker unpacked and modified an app archive and repackaged it; in the recent npm cluster the payload is triggered automatically via postinstall hooks, spawns a separate terminal to run an obfuscated loader, shows a fake CAPTCHA and then pulls a large PyInstaller stealer. That stealer targets system keyrings, browsers, SSH keys and other persisted secrets on Windows, Linux and macOS, exactly the kinds of credentials developers and CI systems rely on every day.
Vetting dependencies is necessary but no longer sufficient. Teams need visibility and controls that extend beyond “what” is pulled from npm or PyPI to cover “what happens next” packaging, install scripts, build artifacts and runtime behavior. Postinstall hooks, repackaging steps, and terminal-spawned payloads are all legitimate mechanisms that attackers now weaponize, so they deserve attention.
Operationally that means treating installs and builds as untrusted execution: run package installs in ephemeral, isolated CI containers; require reproducible builds and signed artifacts; scan for postinstall hooks and typosquatted names before they reach CI; monitor outbound connections from build hosts; and lock down access to OS credential stores (or use vaults that don’t expose plaintext secrets). Add integrity checks and SBOMs into the pipeline so you can detect unexpected changes to archives and binaries early.
In short: shrink the implicit trust you place in the build and install process. The boundary that used to stop at “dependency X is okay” has moved and attackers are now weaponizing packaging and install-time behavior to reach secrets and persistence. If you only scan package names and static source, you’ll miss the parts of the pipeline where real compromise happens.”
Developers are a key part of security. Thus they need to make sure everything that they do is focused on putting out code that is secure by default. These days it’s a requirement to do so.
Share this:
Like this:
Related
This entry was posted on October 30, 2025 at 1:25 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.