Payload for IP fingerprinting and credential theft
Once the fake CAPTCHA interaction occurs, the installer sends the victim’s IP address to the attacker’s server, a step that allows tracking, geofencing, and exclusion of unwanted targets.
It then downloads the payload from the same host, which is a 24 MB Pyinstaller-packed application that contains hundreds of thousands of strings and multiple binaries, indicating a feature-rich stealer.
Socket further analyzed the binaries to perform aggressive filesystem and credential harvest, targeting browser password stores and cookies, SSH keys, OS keyrings (Windows Credential Manager, macOS keychain, Linux SecretService), cloud config files, SDK tokens, and other artifacts that can lead to “long-terms access” to code repositories, cloud consoles, and corporate resources. Exfiltration transfers the data to the threat actor’s host, providing a central collection point for harvested secrets. Socket has published a full list of the ten malicious package names, their hashes, and the attacker’s associated email address to help developers and defenders identify potential compromises.
Popular libraries typosquatted in the campaign include TypeScript, discord.js, ethers.js, nodemon, react-router-dom, and zustand. npm’s popularity has made it a growing target for imposter packages, with abusers conducting massive espionage and supply-chain attacks in recent months.
