Find notable cyber news and cases, enriched with sources, timelines, and signals.

Npm typosquatting campaign using fake CAPTCHA lures

Campaign
First reported
Last updated
Happening score
H score 38
2 unique sources, 2 articles

Summary

Hide ▲

A npm typosquatting campaign used fake CAPTCHA lures and impersonating packages to deliver a credential-stealing infostealer to developers on Windows, Linux, and macOS. The malicious packages were uploaded on July 4, 2025, used a postinstall hook and four layers of obfuscation, and collected nearly 10,000 downloads. After installation, the loader fetched a 24 MB PyInstaller-packaged payload that harvested browser data, SSH keys, OAuth tokens, JWTs, and system keyring secrets. Stolen data was compressed and exfiltrated to 195[.]133[.]79[.]43.

Related Happenings

Malicious npm packages delivering Windows RAT

Malware Activity
H score3 First: 23.06.2026 11:54 Last: 23.06.2026 11:54 Sources 1

About this happening: A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...

Sapphire Sleet Mastra npm supply-chain campaign

Campaign
H score42 First: 20.06.2026 17:09 Last: 20.06.2026 17:09 Sources 1

About this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...

Mastra @mastra/* npm packages hit by network compromise

Incident
H score47 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...

Latest development: 20.06.2026 17:09

Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.

Deps credential stealer in hijacked Arch AUR builds

Malware Activity
H score3 First: 12.06.2026 22:24 Last: 12.06.2026 22:24 Sources 1

About this happening: **Atomic Arch** is a **malware activity** that hijacked **more than 400 Arch User Repository (AUR) packages** on or after **June 11** and rewrote their build scripts to run **npm...

Shai-Hulud PyPI supply-chain malware activity

Malware Activity
H score22 First: 08.06.2026 23:41 Last: 08.06.2026 23:41 Sources 1

About this happening: The **Shai-Hulud** supply-chain malware compromised **19 PyPI packages**, turning routine installs into secret-stealing execution and putting **developer credentials** at risk. Th...

Timeline

  1. 30.10.2025 01:16 1 articles · 8mo ago

    Malicious npm package uploads begin

    Campaign Scope Update

    A threat actor uploaded ten malicious npm packages on July 4, using typosquatting names that mimicked TypeScript, discord.js, ethers.js, nodemon, react-router-dom, and zustand to position a later credential-stealing payload for developers searching for legitimate open-source projects.

    Show sources
  2. 30.10.2025 01:16 3 articles · 8mo ago

    Socket details the fake CAPTCHA infostealer chain

    Technical Analysis Update

    Socket researchers analyzed ten malicious npm packages that impersonated legitimate software projects, used a fake CAPTCHA and multiple obfuscation layers, launched a 24MB PyInstaller-packaged infostealer after installation, and stole credentials from Windows Credential Manager, macOS Keychain, Linux SecretService, libsecret, KWallet, Chromium-based and Firefox browser data, SSH keys, OAuth tokens, JWTs, and other API tokens before exfiltrating compressed archives to 195[.]133[.]79[.]43; the packages remained available at publication despite being reported to npm and had nearly 10,000 downloads.

    Show sources