Dangerous npm packages are targeting developer credentials on Windows, Linux and Mac – here’s what we know
- Ten typosquatted npm packages delivered infostealing malware to nearly 10,000 systems
- Malware targeted system keyrings, bypassing app-level security to steal decrypted credentials
- Affected users must revoke credentials, rebuild systems, and enable multi-factor authentication
Almost a dozen malicious npm packages, delivering dangerous infostealing malware, were downloaded roughly 10,000 times before being spotted and removed.
Recently, security researchers Socket found 10 packages on npm targeting software developers, specifically those who use the npm (Node Package Manager) ecosystem to install JavaScript and Node.js libraries.
These were uploaded in early July 2025 and, as is seen from the names, are mostly typosquatted variants of popular packages, such as TypeScript, discord.js, ethers.js, and others. Cumulatively, they were downloaded 9,900 times before being removed from the platform.
How to stay safe
Here is the full list:
deezcord.js
dezcord.js
dizcordjs
etherdjs
ethesjs
ethetsjs
nodemonjs
react-router-dom.js
typescriptjs
zustand.js
The infostealers were designed to harvest credentials from system keyrings, browsers, and authentication services. They worked on all major platforms, including Windows, Linux, and macOS.
“The malware uses four layers of obfuscation to hide its payload, displays a fake CAPTCHA to appear legitimate, fingerprints victims by IP address, and downloads a 24MB PyInstaller-packaged information stealer,” Socket security researcher Kush Pandya explained.
System keyrings are a particularly important target, Pandya further explained, since they store credentials for critical services such as email clients, cloud storage sync tools, password managers, SSH passphrases, database connection strings, and other apps that integrate with the OS credential store.
“By targeting the keyring directly, the malware bypasses application-level security and harvests stored credentials in their decrypted form. These credentials provide immediate access to corporate email, file storage, internal networks, and production databases.”
Obviously, if you have installed any of the above-mentioned packages, you should treat your system as fully compromised. To mitigate the risk, disconnect the affected system from the internet, revoke all potentially exposed credentials (including SSH keys, API tokens, GitHub or GitLab access tokens, cloud provider keys (AWS, GCP, Azure), npm tokens, and any credentials stored in browsers or password managers), wipe and rebuild the infected system, change all passwords, and audit your npm dependencies and lockfiles.
Finally, you should review system and network logs for suspicious activity or outbound connections to unknown domains, and enable multi-factor authentication on all accounts.
Via The Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
Ten typosquatted npm packages delivered infostealing malware to nearly 10,000 systems Malware targeted system keyrings, bypassing app-level security to steal decrypted credentials Affected users must revoke credentials, rebuild systems, and enable multi-factor authentication Almost a dozen malicious npm packages, delivering dangerous infostealing malware, were downloaded roughly 10,000 times before being…
