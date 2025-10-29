Ten npm packages were found to spread credential-stealing malware hidden under four layers of obfuscation, Socket revealed Tuesday.

Extensive obfuscation prevents static analysis

The 10 packages use typosquatting to imitate popular legitimate packages such as TypeScript, discord.js, ethers.js and nodemon. First published on July 4, 2025, the packages have accumulated nearly 10,000 downloads total.

The packages conceal their malicious intent beneath four forms of obfuscation: eval wrapping, XOR encryption, URL encoding and control flow obfuscation.

The entire payload is first wrapped in an immediately invoked function expression (IIFE) that “reconstructs and evaluates itself,” according to Socket. As the payload is only reconstructed at runtime, static analysis is unable to uncover its true purpose.

XOR encryption is then used to encrypt the payload, with the encryption key being dynamically generated based on the decoder function’s own code. Again, this prevents a full analysis from being completed until the code is executed and unwrapped.

The XOR encrypted string is also URL-encoded, meaning URI decoding is required before it can be decrypted, adding another barrier for static analysis.

Lastly, the decoded and decrypted code uses switch-case state machines with a mix of hexadecimal and octal arithmetic to obfuscate the execution path of the malware.

Credential stealing malware targets developers

“The use of mixed number bases (hexadecimal 0x, octal 0o/0O), bitwise operations, and nested state machines makes manual analysis extremely time-consuming,” Socket researchers said.

The infostealer itself starts off its attack chain by displaying a fake CAPTCHA displayed as ASCII art in the user’s terminal. Once the user submits a response, the malware outputs responses such as “Installing ethers package …” to make the user believe a legitimate package is being installed.

In the meantime, the malware retrieves the victim’s IP address and exfiltrates it to the attacker’s server. After the fake CAPTCHA is solved, a binary called “data_extracter” is downloaded from the same remote server, with a different version installed based on the victim’s operating system (Windows, Mac or Linux).

The “data_extracter” binary is a PyInstaller-packaged Python application, bundled with all the resources needed in case Python is not already installed on the victim’s machine. The application is a credential stealer designed to extract credentials from multiple locations including system keyrings (Windows Credential Manager, macOS Keychain and Linux SecretService), browser SQLite databases containing cookies and passwords and configuration files containing API keys and service credentials.

The infostealer also leverages specialized libraries for extracting OAuth tokens, JSON Web Tokens (JWTs) and LaunchPad credentials, suggesting specific targeting of developers’ development environments, Git projects and/or CI/CD pipelines.

Socket reported these packages to npm, but as of Wednesday morning, all of the packages remained active on npm.

Socket recommends organizations audit their dependencies for the 10 packages named in its blog post and assume a full compromise of any system where these packages were installed.