Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Typosquatted npm packages delivering a PyInstaller infostealer

Malware Activity
First reported
Last updated
Happening score
H score 21
2 unique sources, 2 articles

Summary

Hide ▲

Ten malicious npm packages impersonated popular libraries and delivered a 24 MB PyInstaller infostealer to developers on Windows, Linux, and macOS. The packages used typosquatting, a fake CAPTCHA, and a postinstall hook to launch hidden code, then harvested browser passwords, session cookies, system keyring secrets, SSH keys, and tokens before exfiltrating data to 195[.]133[.]79[.]43. The packages were uploaded on July 4, 2025 and collectively drew nearly 10,000 downloads.

Related Happenings

Malware-Slop malicious npm file-theft campaign

Campaign
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...

Open Happening

Mouse5212-super-formatter postinstall GitHub exfiltration package

Malware Activity
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...

Open Happening

TrapDoor trap-core.js credential-stealing package malware

Malware Activity
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...

Open Happening

Laravel Lang organization hit by network compromise

Incident
First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

About this happening: The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...

Open Happening

Laravel Lang credential-stealer dropper delivered through malicious Composer packages

Malware Activity
First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

About this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...

Open Happening

Timeline

  1. 30.10.2025 01:16 2 articles · 6mo ago

    Typosquatted npm packages upload infostealer payload

    Technical Analysis Update

    Ten malicious npm packages uploaded on July 4 impersonated TypeScript, discord.js, ethers.js, nodemon, react-router-dom, and zustand to lure developers into installing a fake CAPTCHA workflow that launched a 24 MB PyInstaller-packaged infostealer. The loader used a self-decoding eval wrapper, XOR decryption with a dynamically generated key, URL-encoded payloads, and heavy control-flow obfuscation before staging stolen data in /var/tmp or /usr/tmp and exfiltrating compressed archives to 195[.]133[.]79[.]43.

    Show sources
    Open in new tab
  2. 30.10.2025 01:16 2 articles · 6mo ago

    Security researchers flag malicious npm packages stealing credentials

    Initial Disclosure

    Socket researchers identified ten malicious npm packages impersonating legitimate software projects and said the packages had nearly 10,000 downloads while stealing credentials from system keyrings, browsers, and authentication services on affected Windows, Linux, and macOS systems. The packages remained available after Socket reported them to npm, and users were advised to verify package names and rotate passwords and access tokens.

    Show sources
    Open in new tab