Npm typosquatting campaign using fake CAPTCHA lures
Campaign
Summary
Hide ▲
Show ▼
A npm typosquatting campaign used fake CAPTCHA lures and impersonating packages to deliver a credential-stealing infostealer to developers on Windows, Linux, and macOS. The malicious packages were uploaded on July 4, 2025, used a postinstall hook and four layers of obfuscation, and collected nearly 10,000 downloads. After installation, the loader fetched a 24 MB PyInstaller-packaged payload that harvested browser data, SSH keys, OAuth tokens, JWTs, and system keyring secrets. Stolen data was compressed and exfiltrated to 195[.]133[.]79[.]43.
Related Happenings
Shai-Hulud PyPI supply-chain malware activity
Malware Activity
H score22
First: 08.06.2026 23:41
Last: 08.06.2026 23:41
Sources 1
About this happening:
The **Shai-Hulud** supply-chain malware compromised **19 PyPI packages**, turning routine installs into secret-stealing execution and putting **developer credentials** at risk. Th...
Shai-Hulud PyPI supply-chain malware activity
Malware ActivityAbout this happening: The **Shai-Hulud** supply-chain malware compromised **19 PyPI packages**, turning routine installs into secret-stealing execution and putting **developer credentials** at risk. Th...
Red Hat npm Namespace Hijacked in Supply Chain hit by cyberattack
Incident
H score13
First: 01.06.2026 20:40
Last: 01.06.2026 20:40
Sources 1
About this happening:
**Red Hat's** official npm namespace was hijacked in a **supply chain attack** that republished **32 packages** in the **@redhat-cloud-services** scope on **June 1**; the maliciou...
Red Hat npm Namespace Hijacked in Supply Chain hit by cyberattack
IncidentAbout this happening: **Red Hat's** official npm namespace was hijacked in a **supply chain attack** that republished **32 packages** in the **@redhat-cloud-services** scope on **June 1**; the maliciou...
Malware-Slop malicious npm file-theft campaign
Campaign
H score39
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
**Malware-Slop** is distributing **mouse5212-super-formatter**, a malicious **npm** package that steals local files from **Anthropic's Claude** workspace directory **/mnt/user-dat...
Malware-Slop malicious npm file-theft campaign
CampaignAbout this happening: **Malware-Slop** is distributing **mouse5212-super-formatter**, a malicious **npm** package that steals local files from **Anthropic's Claude** workspace directory **/mnt/user-dat...
Mouse5212-super-formatter postinstall GitHub exfiltration package
Malware Activity
H score22
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...
Mouse5212-super-formatter postinstall GitHub exfiltration package
Malware ActivityAbout this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...
Latest development: 29.05.2026 11:10
mouse5212-super-formatter leaked a hardcoded GitHub token, exposing the operator's credential and allowing about seven theft sessions to be observed in the attacker's GitHub repository; the malicious npm package recursively copied files from a victim machine, uploaded them through the GitHub Contents API, and was later removed from npm.
TrapDoor trap-core.js credential-stealing package malware
Malware Activity
H score34
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
TrapDoor trap-core.js credential-stealing package malware
Malware ActivityAbout this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
Timeline
-
30.10.2025 01:16 1 articles · 7mo ago
Malicious npm package uploads begin
Campaign Scope UpdateA threat actor uploaded ten malicious npm packages on July 4, using typosquatting names that mimicked TypeScript, discord.js, ethers.js, nodemon, react-router-dom, and zustand to position a later credential-stealing payload for developers searching for legitimate open-source projects.
Show sources
- Malicious NPM packages fetch infostealer for Windows, Linux, macOS — www.bleepingcomputer.com — 30.10.2025 01:16
-
30.10.2025 01:16 3 articles · 7mo ago
Socket details the fake CAPTCHA infostealer chain
Technical Analysis UpdateSocket researchers analyzed ten malicious npm packages that impersonated legitimate software projects, used a fake CAPTCHA and multiple obfuscation layers, launched a 24MB PyInstaller-packaged infostealer after installation, and stole credentials from Windows Credential Manager, macOS Keychain, Linux SecretService, libsecret, KWallet, Chromium-based and Firefox browser data, SSH keys, OAuth tokens, JWTs, and other API tokens before exfiltrating compressed archives to 195[.]133[.]79[.]43; the packages remained available at publication despite being reported to npm and had nearly 10,000 downloads.
Show sources
- Malicious NPM packages fetch infostealer for Windows, Linux, macOS — www.bleepingcomputer.com — 30.10.2025 01:16
- Malicious NPM packages fetch infostealer for Windows, Linux, macOS — www.bleepingcomputer.com — 30.10.2025 01:16
- 10 npm Packages Caught Stealing Developer Credentials on Windows, macOS, and Linux — thehackernews.com — 29.10.2025 10:34