Malicious NPM Packages Targeting PayPal Users to Steal Sensitive Data

FortiGuard Labs, Fortinet’s AI-driven threat intelligence arm, has uncovered a series of malicious NPM packages designed to steal sensitive information from developers and target PayPal users.

Detected between March 5 and March 14, 2025, these packages were published by a threat actor using the aliases “tommyboy_h1” and “tommyboy_h2,” believed to be the same individual.

The malicious packages, including names like oauth2-paypal and buttonfactoryserv-paypal, exploit PayPal’s trusted brand to deceive developers into installing them.

By mimicking legitimate PayPal-related functionality, the packages create a false sense of legitimacy, increasing their chances of evading detection.

Once installed, they deploy a preinstall hook that automatically runs a malicious script, collecting system data such as usernames, hostnames, and directory paths without user awareness.

FortiGuard Labs’ analysis reveals that the script encodes stolen data into hexadecimal format, obfuscates it by splitting and truncating directory paths, and sends it to attacker-controlled servers via dynamically generated URLs.

This obfuscation makes it difficult for security tools to detect or block the exfiltration. The harvested information could be used to compromise PayPal accounts, fuel further attacks, or be sold on the dark web.

Key Findings

The campaign’s scale is notable, with the threat actor publishing numerous packages in a short timeframe. Examples include oauth2-paypal v699.0.0, buttonfactoryserv-paypal v3.50.0, and tommyboytesting variants, all exhibiting identical malicious code.

The packages target small to medium-sized businesses and developers, exploiting the open-source ecosystem’s trust model.

FortiGuard AntiVirus has flagged the malicious files as Bash/TommyBoy.A!tr, covering packages like:

• bankingbundleserv_1.20.0
• buttonfactoryserv-paypal_3.50.0 and 3.99.0
• oauth2-paypal (multiple versions, e.g., 0.6.0, 699.0.0)
• compliancereadserv-paypal_2.1.0

The authors of tommyboy_h1 and tommyboy_h2 are likely the same person, publishing multiple malicious packages in a short time. We suspect that the same author created these packages to target PayPal users, Fortinet said..

FortiGuard Labs urges organizations and developers to:

• Verify NPM packages, avoiding those with suspicious names like “paypal” (e.g., oauth2-paypal).
• Monitor network logs for unexpected connections to unknown servers.
• Remove any detected malicious packages, change compromised credentials, and scan systems for additional threats.
• Ensure security software is updated to leverage Fortinet’s latest protections.

Indicators of Compromise

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Security News Updates!

Also Read: