Security researchers have disclosed a campaign of typosquatted npm packages that automatically execute on install and ultimately deliver a cross-platform credential stealer. According to researchers, the malicious packages were first published on July 4, 2025, remained live for over four months, and together collected more than 9,900 downloads before Socket petitioned the npm registry for removal.
The actor behind the campaign, a registrant using the name andrew_r1 with the email parvlhonor@gmx[.]com, created ten packages whose names mimic legitimate libraries. Socket’s AI Scanner labeled the most prominent malicious package, dizcordjs, as “Known malware.” The full list of Typosquatted packages observed is:
- typescriptjs (mimics TypeScript)
- deezcord.js, dizcordjs, dezcord.js (mimic discord.js)
- etherdjs, ethesjs, ethetsjs (mimic ethers.js)
- nodemonjs (mimics nodemon)
- react-router-dom.js (mimics react-router-dom)
- zustand.js (mimics zustand)
Typosquatted NPM Packages: Obfuscation and Automatic Execution Techniques
Automatic, immediate execution is central to the operation. Each package abuses npm’s postinstall lifecycle hook so that simply running npm install triggers the malicious payload. Socket extracted an example package.json used by the attacker that runs node install.js in postinstall. The install.js implements platform detection and spawns a separate terminal window on Windows (cmd), Linux (gnome-terminal/x-terminal-emulator), or macOS (Terminal.app via AppleScript). By launching the payload in a new window and clearing it quickly, the malware runs outside the main npm output and reduces the chance the developer notices.
The malicious app.js is heavily obfuscated with four distinct layers designed to defeat static analysis and automated scanners: an eval-based self-decoding wrapper, XOR decryption using a key derived from the decoder function’s own source, URL encoding of the payload string, and control-flow obfuscation implemented with switch/state machines and mixed-base arithmetic. Socket noted that these layers only reveal the real payload at runtime, increasing the difficulty of static inspection.
Multi-stage credential theft workflow
After installation, the packages perform social engineering: they display a fake CAPTCHA prompt rendered in terminal (via Node’s readline) to simulate legitimate bot protection and to persuade the user that the operation is expected. The installer then prints realistic-looking install messages such as “Installing ethers package…” or “Installing discord.js package…” along with plausible version numbers and contributor counts to further the ruse.
Before delivering the final payload, the malware performs IP fingerprinting: it sends the victim’s IP to the actor’s server at http://195[.]133[.]79[.]43/get_current_ip. Socket observed this behavior in network captures; the actor can use those logs to profile victims, filter by geography, or identify security researchers.
Once the victim interacts with the fake CAPTCHA, the installer downloads a platform-specific binary named data_extracter from http://195[.]133[.]79[.]43/data_extracter and executes it. Socket reported the binary as a 24MB PyInstaller package with hash 80552ce00e5d271da870e96207541a4f82a782e7b7f4690baeca5d411ed71edb and noted more than 289,000 embedded strings—evidence of broad built-in functionality. Because it is packaged with PyInstaller, the binary runs without a separate Python interpreter and is available for Windows, macOS, and Linux.
Socket’s analysis describes the data_extracter as a comprehensive credential stealer that performs recursive file-system scanning (browser profiles, ~/.ssh/, ~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, and application config directories), extracts browser SQLite databases and session cookies, and targets system keyrings (Windows Credential Manager, macOS Keychain, Linux SecretService/libsecret/KWallet).
The binary also includes libraries to harvest OAuth and JWT tokens and references to oauthlib and JWT utilities, enabling programmatic access long after passwords are changed. Harvested artifacts are compressed into archives staged in temporary directories (e.g., /var/tmp) and exfiltrated to the C2 at 195[.]133[.]79[.]43.
Recommendations, IOCs, and impact
Socket characterized the campaign as combining advanced obfuscation, social engineering via fake CAPTCHA and legitimate-looking install messages, IP fingerprinting, and a platform-aware PyInstaller credential stealer—techniques rarely seen together in npm supply chain attacks.
Socket’s immediate recommendations:
- Assume any system that installed one of the ten Typosquatted packages is fully compromised.
- Remove the malicious packages and petition npm for takedown.
- Reset credentials stored in system keyrings and browser password managers; revoke and rotate OAuth, JWT, API keys, and SSH keys.
- Enable multi-factor authentication where possible and audit access logs for unusual activity.
- Search VPN/firewall logs for connections to 195[.]133[.]79[.]43 and investigate potential lateral movement or persistence.
Indicators of compromise (IOCs) cited by Socket include the ten package names above, the actor identifier andrew_r1 / parvlhonor@gmx[.]com, the C2 IP 195[.]133[.]79[.]43, and the reported PyInstaller binary hash 80552ce00e5d271da870e96207541a4f82a782e7b7f4690baeca5d411ed71edb.
Socket’s disclosure underscores that Typosquatted packages remain a viable attack vector for delivering credential stealers and other payloads to developers and build systems. Organizations that rely on third-party packages should audit dependencies, apply stricter vetting, and treat any unexpected installation activity as potentially malicious.
