malicious packages Archives

Tech Optimizer

October 29, 2025

Dangerous npm packages are targeting developer credentials on Windows, Linux and Mac – here’s what we know

Security researchers from Socket have discovered ten malicious npm packages that infiltrated the Node Package Manager ecosystem, mimicking legitimate tools and downloaded nearly 10,000 times. These typosquatted packages contain malware that bypasses application-level security to target system keyrings, allowing the harvesting of decrypted credentials and access to critical resources like corporate emails and databases. Users who installed these packages are advised to treat their systems as compromised, disconnect from the internet, revoke exposed credentials, wipe and rebuild the infected system, change passwords, audit npm dependencies, review logs for suspicious activity, and enable multi-factor authentication.

Tech Optimizer

October 15, 2025

What Is Open Source Malware And Why Is It So High?

Open source malware refers to malicious code hidden within software packages on platforms like npm, PyPI, and Hugging Face, which are increasingly targeted by cybercriminals. In the third quarter of this year, Sonatype identified 34,319 malicious open source packages, contributing to a total of 877,522 over the past six years. Attackers are using artificial intelligence to embed malware in tools developers rely on, focusing on stealthy operations to avoid detection. Data exfiltration malware made up 37% of detected malicious packages in Q3, targeting sensitive information. Nearly 38% of threats were categorized as “droppers,” which install additional malware. The prevalence of backdoor-laden packages increased by 143% from the previous quarter. Financial organizations were the primary targets, with 47% of blocked malware attempts aimed at banks and financial services. Notable incidents include the npm hijacking of the “chalk” and “debug” packages and the Shai-Hulud campaign, which spread automatically across repositories. In the first quarter of 2025, 17,954 malicious packages were reported, with over half targeting confidential data, indicating a shift towards organized attacks on trusted dependencies.

AppWizard

July 25, 2025

Malicious Android Apps Mimic as Popular Indian Banking Apps Steal Login Credentials

Attackers are exploiting India's reliance on digital financial services by distributing counterfeit Android applications resembling those of public and private banks. This campaign, detected on April 3, 2025, employs methods like smishing texts, QR codes, and search-engine manipulation to trick users into sideloading malicious software. Within 48 hours of discovery, over 7,000 devices attempted to connect to a specific Firebase Cloud Messaging endpoint. The malware uses permissions to bypass security measures, capture one-time passwords, and gain insights into installed applications for overlay attacks. It collects sensitive information such as phone numbers and CVVs, which are uploaded to a private database. The malware also enables call forwarding to the attacker's number and maintains persistence through various tactics. The infection mechanism involves a dropper that installs a secondary APK silently, evading detection by not displaying a launcher icon. Security experts recommend enhanced phishing detection and real-time sandbox analysis to combat these threats.

Tech Optimizer

June 3, 2025

Misspell one word and you’re infected: New malware campaign fools developers on both Windows and Linux

Cybersecurity experts have highlighted the risks of typosquatting, where developers accidentally download malicious packages due to typographical errors. A report from Checkmarx reveals that attackers exploit this trust by creating counterfeit packages that can grant unauthorized access to systems. Malicious packages have been found in the Python Package Index (PyPI) and can enable remote control, posing serious threats to system integrity. Attackers employ a cross-platform strategy, mixing names from different programming environments to target unsuspecting users. On Windows, malware can create scheduled tasks and disable antivirus protections, while on Linux, certain packages facilitate encrypted reverse shells for data exfiltration. Although the malicious packages have been removed, the threat remains, prompting developers to verify package sources and spellings. Checkmarx recommends organizations conduct audits of deployed packages and scrutinize application code to enhance security.

Tech Optimizer

April 18, 2025

Breached Identities and Infostealers: One of the Largest Ongoing Data Leak in History

Breached identities due to infostealer malware are a significant threat to corporate information security in 2024. Infostealers are a type of remote access trojan that exfiltrate sensitive data, including saved credentials, session cookies, browser history, crypto wallet information, screen captures, and host data. Infections often stem from downloading cracked software, malicious advertising, fake Windows updates, and repackaged games. Infostealers do not require local administrative privileges, making them easy to execute. Threat actors primarily aim to profit from breached bank accounts and crypto wallets, often bypassing multi-factor authentication by targeting session cookies. They also seek credentials for subscription services and corporate access. Research shows that 90% of breached companies had leaked corporate credentials in a stealer log, with 78% experiencing leaks within six months of a breach. In comparison, 76% of similar companies without breaches had experienced a corporate stealer log compromise. The investigation identified high-criticality credentials from various corporate applications, indicating that a single user often has access to multiple credentials. The rise of infostealer malware represents a broad threat, encompassing a wide range of sensitive data. Organizations are advised to implement strategies such as restricting download privileges, avoiding illegal content, disabling macros, and regularly updating software to mitigate risks associated with infostealer malware.

Winsage

August 6, 2024

North Korean Hackers Attacking Windows Users With Weaponized npm Files

GuardDog software identified two malicious npm packages, harthat-hash and harthat-api, linked to a North Korean threat actor group called "Stressed Pungsan," which has connections to Microsoft's MOONSTONE SLEET. These packages were uploaded by a user named nagasiren978 on July 7, 2024, and were designed to download additional malware from a suspected North Korean command and control server. The packages utilized a pre-install script to download and execute a harmful DLL via rundll32, while also self-destructing to evade detection. The harthat-api package impersonated the legitimate Hardhat package and modified its package.json file to conceal its malicious intent. The malicious DLL appeared innocuous but is suspected to contain harmful functionality. The threat actors compromised targets using the packages harthat-api-v1.3.1.zip and harthat-hash-v1.3.3.zip, traced back to the IP address 142.111.77.196. Indicators of compromise include the filename Temp.b (package.db) and its SHA256 hash, d2a74db6b9c900ad29a81432af72eee8ed4e22bf61055e7e8f7a5f1a33778277.