Find notable cyber news and cases, enriched with sources, timelines, and signals.

Typosquatted npm packages delivering a PyInstaller infostealer

Malware Activity
First reported
Last updated
Happening score
H score 29
2 unique sources, 2 articles

Summary

Hide ▲

Ten malicious npm packages impersonated popular libraries and delivered a 24 MB PyInstaller infostealer to developers on Windows, Linux, and macOS. The packages used typosquatting, a fake CAPTCHA, and a postinstall hook to launch hidden code, then harvested browser passwords, session cookies, system keyring secrets, SSH keys, and tokens before exfiltrating data to 195[.]133[.]79[.]43. The packages were uploaded on July 4, 2025 and collectively drew nearly 10,000 downloads.

Related Happenings

Postcss-minify-selector-parser Windows RAT delivery chain

Malware Activity
H score29 First: 23.06.2026 18:00 Last: 23.06.2026 18:00 Sources 1

About this happening: The **postcss-minify-selector-parser** npm package delivered a **multi-stage Windows RAT**, creating a supply-chain path onto **developer machines** and exposing **browser logins*...

Malicious npm packages delivering Windows RAT

Malware Activity
H score3 First: 23.06.2026 11:54 Last: 23.06.2026 11:54 Sources 1

About this happening: A set of **malicious npm packages** is delivering a **Windows-based RAT** through a **multi-stage install chain**, creating risk of **credential theft**, **host profiling**, and *...

Easy-day-js malware delivery through poisoned Mastra packages

Malware Activity
H score29 First: 22.06.2026 14:30 Last: 22.06.2026 14:30 Sources 1

About this happening: A poisoned **Mastra** package chain delivered **malware** through **easy-day-js**, creating compromise risk across **Windows, MacOS and Linux** systems. The payload disabled **TLS...

Sapphire Sleet Mastra npm supply-chain campaign

Campaign
H score42 First: 20.06.2026 17:09 Last: 20.06.2026 17:09 Sources 1

About this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...

Mastra @mastra/* npm packages hit by network compromise

Incident
H score47 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...

Latest development: 20.06.2026 17:09

Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.

Timeline

  1. 30.10.2025 01:16 2 articles · 8mo ago

    Typosquatted npm packages upload infostealer payload

    Technical Analysis Update

    Ten malicious npm packages uploaded on July 4 impersonated TypeScript, discord.js, ethers.js, nodemon, react-router-dom, and zustand to lure developers into installing a fake CAPTCHA workflow that launched a 24 MB PyInstaller-packaged infostealer. The loader used a self-decoding eval wrapper, XOR decryption with a dynamically generated key, URL-encoded payloads, and heavy control-flow obfuscation before staging stolen data in /var/tmp or /usr/tmp and exfiltrating compressed archives to 195[.]133[.]79[.]43.

    Show sources
  2. 30.10.2025 01:16 2 articles · 8mo ago

    Security researchers flag malicious npm packages stealing credentials

    Initial Disclosure

    Socket researchers identified ten malicious npm packages impersonating legitimate software projects and said the packages had nearly 10,000 downloads while stealing credentials from system keyrings, browsers, and authentication services on affected Windows, Linux, and macOS systems. The packages remained available after Socket reported them to npm, and users were advised to verify package names and rotate passwords and access tokens.

    Show sources