- Ten typosquatted npm packages delivered info-stealing malware to nearly 10,000 systems
- Malware-targeted system keychains that bypass app-level security to steal decrypted credentials
- Affected users must revoke credentials, rebuild systems, and enable multi-factor authentication
Nearly a dozen malicious npm packages that deliver dangerous info-stealing malware were downloaded about 10,000 times before they were detected and removed.
Recently, security researchers found Socket 10 packages on npm targeting software developers, specifically those who use the npm (Node Package Manager) ecosystem to install JavaScript and Node.js libraries.
These were uploaded in early July 2025 and, as can be seen from the names, are mostly typosquatted variants of popular packages, such as TypeScript, discord.js, ethers.js and others. In total, they were downloaded 9,900 times before being removed from the platform.
How to stay safe
Here is the full list:
deezcord.js
dezcord.js
dizcordjs
etherdjs
ethsjs
entityjs
nodemonjs
react-router-dom.js
typescriptjs
state.js
The infostealers were designed to harvest credentials from system keychains, browsers, and authentication services. They worked on all major platforms, including Windows, Linux and macOS.
“The malware uses four layers of obfuscation to hide its payload, displays a fake CAPTCHA to appear legitimate, fingerprints victims by IP address and downloads a 24MB PyInstaller-packaged information stealer,” explained Socket security researcher Kush Pandya.
System keychains are a particularly important target, Pandya further explained, as they store credentials for critical services such as email clients, cloud storage sync tools, password managers, SSH passwords, database connection strings and other apps that integrate with the OS credential store.
“By directly targeting the keychain, the malware bypasses application-level security and harvests stored credentials in their decrypted form. These credentials provide immediate access to corporate email, file storage, internal networks and production databases.”
Of course, if you have installed any of the packages mentioned above, you should treat your system as completely compromised. To mitigate the risk, disconnect the affected system from the Internet, revoke all potentially visible credentials (including SSH keys, API tokens, GitHub or GitLab access tokens, cloud provider keys (AWS, GCP, Azure), npm tokens and any credentials stored in browsers and passwords, change all browsers and password managers, change all browsers and passwords. and check your npm dependencies and lock files.
Finally, you should review system and network logs for suspicious activity or outgoing connections to unknown domains and enable multi-factor authentication on all accounts.
Via Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
