Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Npm typosquatting campaign using fake CAPTCHA lures

Campaign
First reported
Last updated
Happening score
H score 39
2 unique sources, 2 articles

Summary

Hide ▲

A npm typosquatting campaign used fake CAPTCHA lures and impersonating packages to deliver a credential-stealing infostealer to developers on Windows, Linux, and macOS. The malicious packages were uploaded on July 4, 2025, used a postinstall hook and four layers of obfuscation, and collected nearly 10,000 downloads. After installation, the loader fetched a 24 MB PyInstaller-packaged payload that harvested browser data, SSH keys, OAuth tokens, JWTs, and system keyring secrets. Stolen data was compressed and exfiltrated to 195[.]133[.]79[.]43.

Related Happenings

Malware-Slop malicious npm file-theft campaign

Campaign
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...

Open Happening

Mouse5212-super-formatter postinstall GitHub exfiltration package

Malware Activity
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...

Open Happening

TrapDoor trap-core.js credential-stealing package malware

Malware Activity
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...

Open Happening

Laravel Lang credential-stealer dropper delivered through malicious Composer packages

Malware Activity
First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

About this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...

Open Happening

Laravel-Lang PHP package supply-chain credential-stealing campaign

Campaign
First: 23.05.2026 12:51 Last: 23.05.2026 12:51 Sources 1

About this happening: A **software supply-chain campaign** hit **multiple Laravel-Lang PHP packages**, putting consumers at risk of **credential theft** through tampered release tags. Malicious version...

Open Happening

Timeline

  1. 30.10.2025 01:16 1 articles · 6mo ago

    Malicious npm package uploads begin

    Campaign Scope Update

    A threat actor uploaded ten malicious npm packages on July 4, using typosquatting names that mimicked TypeScript, discord.js, ethers.js, nodemon, react-router-dom, and zustand to position a later credential-stealing payload for developers searching for legitimate open-source projects.

    Show sources
    Open in new tab
  2. 30.10.2025 01:16 3 articles · 6mo ago

    Socket details the fake CAPTCHA infostealer chain

    Technical Analysis Update

    Socket researchers analyzed ten malicious npm packages that impersonated legitimate software projects, used a fake CAPTCHA and multiple obfuscation layers, launched a 24MB PyInstaller-packaged infostealer after installation, and stole credentials from Windows Credential Manager, macOS Keychain, Linux SecretService, libsecret, KWallet, Chromium-based and Firefox browser data, SSH keys, OAuth tokens, JWTs, and other API tokens before exfiltrating compressed archives to 195[.]133[.]79[.]43; the packages remained available at publication despite being reported to npm and had nearly 10,000 downloads.

    Show sources
    Open in new tab