Typosquatted npm packages delivering a PyInstaller infostealer
Malware Activity
Summary
Hide ▲
Show ▼
Ten malicious npm packages impersonated popular libraries and delivered a 24 MB PyInstaller infostealer to developers on Windows, Linux, and macOS. The packages used typosquatting, a fake CAPTCHA, and a postinstall hook to launch hidden code, then harvested browser passwords, session cookies, system keyring secrets, SSH keys, and tokens before exfiltrating data to 195[.]133[.]79[.]43. The packages were uploaded on July 4, 2025 and collectively drew nearly 10,000 downloads.
Related Happenings
Postcss-minify-selector-parser Windows RAT delivery chain
Malware Activity
H score29
First: 23.06.2026 18:00
Last: 23.06.2026 18:00
Sources 1
About this happening:
The **postcss-minify-selector-parser** npm package delivered a **multi-stage Windows RAT**, creating a supply-chain path onto **developer machines** and exposing **browser logins*...
Postcss-minify-selector-parser Windows RAT delivery chain
Malware ActivityAbout this happening: The **postcss-minify-selector-parser** npm package delivered a **multi-stage Windows RAT**, creating a supply-chain path onto **developer machines** and exposing **browser logins*...
Malicious npm packages delivering Windows RAT
Malware Activity
H score3
First: 23.06.2026 11:54
Last: 23.06.2026 11:54
Sources 1
About this happening:
A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...
Malicious npm packages delivering Windows RAT
Malware ActivityAbout this happening: A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...
Easy-day-js malware delivery through poisoned Mastra packages
Malware Activity
H score29
First: 22.06.2026 14:30
Last: 22.06.2026 14:30
Sources 1
About this happening:
A poisoned **Mastra** package chain delivered **malware** through **easy-day-js**, creating compromise risk across **Windows, MacOS and Linux** systems. The payload disabled **TLS...
Easy-day-js malware delivery through poisoned Mastra packages
Malware ActivityAbout this happening: A poisoned **Mastra** package chain delivered **malware** through **easy-day-js**, creating compromise risk across **Windows, MacOS and Linux** systems. The payload disabled **TLS...
Sapphire Sleet Mastra npm supply-chain campaign
Campaign
H score42
First: 20.06.2026 17:09
Last: 20.06.2026 17:09
Sources 1
About this happening:
The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Sapphire Sleet Mastra npm supply-chain campaign
CampaignAbout this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Mastra @mastra/* npm packages hit by network compromise
Incident
H score47
First: 17.06.2026 10:38
Last: 17.06.2026 10:38
Sources 1
About this happening:
**Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...
Mastra @mastra/* npm packages hit by network compromise
IncidentAbout this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...
Latest development: 20.06.2026 17:09
Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.
Timeline
-
30.10.2025 01:16 2 articles · 8mo ago
Typosquatted npm packages upload infostealer payload
Technical Analysis UpdateTen malicious npm packages uploaded on July 4 impersonated TypeScript, discord.js, ethers.js, nodemon, react-router-dom, and zustand to lure developers into installing a fake CAPTCHA workflow that launched a 24 MB PyInstaller-packaged infostealer. The loader used a self-decoding eval wrapper, XOR decryption with a dynamically generated key, URL-encoded payloads, and heavy control-flow obfuscation before staging stolen data in /var/tmp or /usr/tmp and exfiltrating compressed archives to 195[.]133[.]79[.]43.
Show sources
- Malicious NPM packages fetch infostealer for Windows, Linux, macOS — www.bleepingcomputer.com — 30.10.2025 01:16
- Malicious NPM packages fetch infostealer for Windows, Linux, macOS — www.bleepingcomputer.com — 30.10.2025 01:16
-
30.10.2025 01:16 2 articles · 8mo ago
Security researchers flag malicious npm packages stealing credentials
Initial DisclosureSocket researchers identified ten malicious npm packages impersonating legitimate software projects and said the packages had nearly 10,000 downloads while stealing credentials from system keyrings, browsers, and authentication services on affected Windows, Linux, and macOS systems. The packages remained available after Socket reported them to npm, and users were advised to verify package names and rotate passwords and access tokens.
Show sources
- Malicious NPM packages fetch infostealer for Windows, Linux, macOS — www.bleepingcomputer.com — 30.10.2025 01:16
- 10 npm Packages Caught Stealing Developer Credentials on Windows, macOS, and Linux — thehackernews.com — 29.10.2025 10:34