Npm typosquatting campaign using fake CAPTCHA lures
Campaign
Summary
Hide ▲
Show ▼
A npm typosquatting campaign used fake CAPTCHA lures and impersonating packages to deliver a credential-stealing infostealer to developers on Windows, Linux, and macOS. The malicious packages were uploaded on July 4, 2025, used a postinstall hook and four layers of obfuscation, and collected nearly 10,000 downloads. After installation, the loader fetched a 24 MB PyInstaller-packaged payload that harvested browser data, SSH keys, OAuth tokens, JWTs, and system keyring secrets. Stolen data was compressed and exfiltrated to 195[.]133[.]79[.]43.
Related Happenings
Malicious npm packages delivering Windows RAT
Malware Activity
H score3
First: 23.06.2026 11:54
Last: 23.06.2026 11:54
Sources 1
About this happening:
A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...
Malicious npm packages delivering Windows RAT
Malware ActivityAbout this happening: A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...
Sapphire Sleet Mastra npm supply-chain campaign
Campaign
H score42
First: 20.06.2026 17:09
Last: 20.06.2026 17:09
Sources 1
About this happening:
The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Sapphire Sleet Mastra npm supply-chain campaign
CampaignAbout this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Mastra @mastra/* npm packages hit by network compromise
Incident
H score47
First: 17.06.2026 10:38
Last: 17.06.2026 10:38
Sources 1
About this happening:
**Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...
Mastra @mastra/* npm packages hit by network compromise
IncidentAbout this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...
Latest development: 20.06.2026 17:09
Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.
Deps credential stealer in hijacked Arch AUR builds
Malware Activity
H score3
First: 12.06.2026 22:24
Last: 12.06.2026 22:24
Sources 1
About this happening:
**Atomic Arch** is a **malware activity** that hijacked **more than 400 Arch User Repository (AUR) packages** on or after **June 11** and rewrote their build scripts to run **npm...
Deps credential stealer in hijacked Arch AUR builds
Malware ActivityAbout this happening: **Atomic Arch** is a **malware activity** that hijacked **more than 400 Arch User Repository (AUR) packages** on or after **June 11** and rewrote their build scripts to run **npm...
Shai-Hulud PyPI supply-chain malware activity
Malware Activity
H score22
First: 08.06.2026 23:41
Last: 08.06.2026 23:41
Sources 1
About this happening:
The **Shai-Hulud** supply-chain malware compromised **19 PyPI packages**, turning routine installs into secret-stealing execution and putting **developer credentials** at risk. Th...
Shai-Hulud PyPI supply-chain malware activity
Malware ActivityAbout this happening: The **Shai-Hulud** supply-chain malware compromised **19 PyPI packages**, turning routine installs into secret-stealing execution and putting **developer credentials** at risk. Th...
Timeline
-
30.10.2025 01:16 1 articles · 8mo ago
Malicious npm package uploads begin
Campaign Scope UpdateA threat actor uploaded ten malicious npm packages on July 4, using typosquatting names that mimicked TypeScript, discord.js, ethers.js, nodemon, react-router-dom, and zustand to position a later credential-stealing payload for developers searching for legitimate open-source projects.
Show sources
- Malicious NPM packages fetch infostealer for Windows, Linux, macOS — www.bleepingcomputer.com — 30.10.2025 01:16
-
30.10.2025 01:16 3 articles · 8mo ago
Socket details the fake CAPTCHA infostealer chain
Technical Analysis UpdateSocket researchers analyzed ten malicious npm packages that impersonated legitimate software projects, used a fake CAPTCHA and multiple obfuscation layers, launched a 24MB PyInstaller-packaged infostealer after installation, and stole credentials from Windows Credential Manager, macOS Keychain, Linux SecretService, libsecret, KWallet, Chromium-based and Firefox browser data, SSH keys, OAuth tokens, JWTs, and other API tokens before exfiltrating compressed archives to 195[.]133[.]79[.]43; the packages remained available at publication despite being reported to npm and had nearly 10,000 downloads.
Show sources
- Malicious NPM packages fetch infostealer for Windows, Linux, macOS — www.bleepingcomputer.com — 30.10.2025 01:16
- Malicious NPM packages fetch infostealer for Windows, Linux, macOS — www.bleepingcomputer.com — 30.10.2025 01:16
- 10 npm Packages Caught Stealing Developer Credentials on Windows, macOS, and Linux — thehackernews.com — 29.10.2025 10:34