A sophisticated supply-chain attack has emerged targeting Windows systems through compromised npm packages, marking a critical vulnerability in open-source software distribution.
Between October 21 and 26, 2025, threat actors published 17 malicious npm packages containing 23 releases designed to deliver Vidar infostealer malware.
The campaign exploited the trust developers place in package registries, leveraging legitimate-appearing packages that masqueraded as Telegram bot helpers, icon libraries, and forks of popular projects including Cursor and React.
The attack leveraged two recently created npm accounts, aartje and saliii229911, which published packages downloaded over 2,240 times before removal from the registry.
This distribution method represents a paradigm shift for Vidar, historically spread through phishing emails with malicious Office documents.
The deceptive packaging and seemingly legitimate functionality allowed the malicious code to propagate widely before detection.
.webp "15+ Weaponized npm Packages Attacking Windows Systems to Deliver Vidar Malware 3")
Datadog Security Labs security researchers identified the campaign through their GuardDog static analyzer, which flagged suspicious indicators including postinstall script execution and process spawning operations.
The discovery revealed that all packages executed identical attack chains through postinstall scripts, with some variants using PowerShell commands embedded directly in package.json files.
Infection Mechanism and Technical Breakdown
The attack demonstrates remarkable simplicity in execution. When developers installed compromised packages, postinstall scripts automatically triggered, downloading an encrypted ZIP archive from bullethost.cloud infrastructure.
The downloader scripts used hardcoded credentials to extract the archive, retrieving bridle.exe, a Go-compiled Vidar variant previously unseen in npm distributions.
The malware then executed with system privileges, initiating the information theft process.
This Vidar variant collects sensitive data including browser credentials, cookies, cryptocurrency wallets, and system files before exfiltrating stolen information through command-and-control infrastructure.
The malware discovers active C2 servers by querying hardcoded Telegram and Steam throwaway accounts containing regularly updated C2 domains.
After successful data exfiltration, the malware deletes traces of itself, complicating post-compromise detection.
The campaign represents a sophisticated understanding of npm ecosystem vulnerabilities.
Threat actors rotated between multiple C2 domains and implemented variations in postinstall script implementations, likely to evade pattern-based detection systems.
All affected packages remained live on npm for approximately two weeks, establishing this as one of the most consequential npm-based malware campaigns targeting enterprise development environments and individual developers worldwide.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
