Eight malicious npm packages delivering a Chrome information stealer on Windows
Malware Activity
Summary
Hide ▲
Show ▼
Eight malicious npm packages were identified delivering a Google Chrome browser information stealer on Windows. The payload can exfiltrate passwords, credit cards, cryptocurrency wallet data, and cookies, with railway[.]app used for exfiltration and a Discord webhook as fallback.
Related Happenings
GlassWorm multi-stage data-theft malware evolution
Malware Activity
First: 25.03.2026 16:26
Last: 25.03.2026 16:26
Sources 1
About this happening:
The **GlassWorm** malware family has evolved into a **multi-stage** payload chain that steals browser data and crypto-wallet information, increasing risk for **Windows** and **mac...
GlassWorm multi-stage data-theft malware evolution
Malware ActivityAbout this happening: The **GlassWorm** malware family has evolved into a **multi-stage** payload chain that steals browser data and crypto-wallet information, increasing risk for **Windows** and **mac...
CanisterWorm self-propagation across npm packages
Malware Activity
First: 21.03.2026 09:28
Last: 21.03.2026 09:28
Sources 1
About this happening:
A **self-propagating npm supply-chain worm** tracked as **CanisterSprawl** is abusing **stolen developer npm tokens** to spread through compromised packages. **Socket** and **Step...
CanisterWorm self-propagation across npm packages
Malware ActivityAbout this happening: A **self-propagating npm supply-chain worm** tracked as **CanisterSprawl** is abusing **stolen developer npm tokens** to spread through compromised packages. **Socket** and **Step...
GhostLoader RAT-stealer via @openclaw-ai/openclawai
Malware Activity
First: 09.03.2026 20:31
Last: 09.03.2026 20:31
Sources 1
About this happening:
A malicious **@openclaw-ai/openclawai** npm package is delivering **GhostLoader** to **macOS** hosts, enabling **credential theft**, **browser-session cloning**, and persistent re...
GhostLoader RAT-stealer via @openclaw-ai/openclawai
Malware ActivityAbout this happening: A malicious **@openclaw-ai/openclawai** npm package is delivering **GhostLoader** to **macOS** hosts, enabling **credential theft**, **browser-session cloning**, and persistent re...
Fake Google Account security page PWA phishing campaign
Campaign
First: 02.03.2026 22:23
Last: 02.03.2026 22:23
Sources 1
About this happening:
A **phishing campaign** is using a **fake Google Account security page** and a **Progressive Web App (PWA)** to steal **one-time passcodes**, harvest **cryptocurrency wallet addre...
Fake Google Account security page PWA phishing campaign
CampaignAbout this happening: A **phishing campaign** is using a **fake Google Account security page** and a **Progressive Web App (PWA)** to steal **one-time passcodes**, harvest **cryptocurrency wallet addre...
LummaStealer infection surge via CastleLoader
Malware Activity
First: 11.02.2026 19:02
Last: 11.02.2026 19:02
Sources 1
About this happening:
The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
LummaStealer infection surge via CastleLoader
Malware ActivityAbout this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
Latest development: 06.03.2026 08:44
Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().
Timeline
-
28.08.2025 20:10 2 articles · 9mo ago
Eight malicious npm packages deliver Chrome information stealer on Windows
Initial DisclosureEight malicious npm packages published by users named ruer and npjun deliver a Google Chrome browser information stealer targeting Windows systems, using 70 layers of obfuscated code to unpack a Python payload that exfiltrates passwords, credit cards, cryptocurrency wallet data, and user cookies to a railway[.]app URL or a Discord webhook fallback.
Show sources
- Researchers Find VS Code Flaw Allowing Attackers to Republish Deleted Extensions Under Same Names — thehackernews.com — 28.08.2025 20:10
- Researchers Find VS Code Flaw Allowing Attackers to Republish Deleted Extensions Under Same Names — thehackernews.com — 28.08.2025 20:10