Cybersecurity researchers have uncovered a significant threat within the npm registry, identifying a set of 10 malicious packages designed to deploy an information stealer. The campaign targeted developers using Windows, Linux, and macOS operating systems. The packages, which were uploaded to the registry on July 4, 2025, successfully accumulated over 9,900 downloads before being discovered. The operation relied on typosquatting, with the malicious packages impersonating widely-used libraries such as TypeScript, discord.js, ethers.js, nodemon, and react-router-dom to trick developers into installing them.

Multi-Stage Attack and Obfuscation

The malware employed a sophisticated, multi-stage attack chain to execute its payload and evade detection. According to Socket security researcher Kush Pandya, “The malware uses four layers of obfuscation to hide its payload, displays a fake CAPTCHA to appear legitimate, fingerprints victims by IP address, and downloads a 24MB PyInstaller-packaged information stealer.” This final payload was engineered to harvest a wide range of sensitive data. The information stealer specifically targeted credentials stored in system keyrings, web browsers, and various authentication services across all three major desktop operating systems.

Identified Malicious Packages

The campaign’s success was driven by its use of convincing, slightly altered names of popular packages. The following 10 npm packages have been confirmed as being part of this credential theft operation:

deezcord.js
dezcord.js
dizcordjs
etherdjs
ethesjs
ethetsjs
nodemonjs
react-router-dom.js
typescriptjs
zustand.js

Developers who may have installed any of these packages are directly affected by the credential harvesting malware. The combined download count of over 9,900 indicates a substantial number of systems were compromised by this supply chain attack.