The CAPTCHA npm Creature Devours Credentials Across Windows, macOS and Linux
- Javier Conejo del Cerro
- hace 4 días
- 4 Min. de lectura
From the depths of the software supply chain, a new digital monster has risen. Researchers have uncovered a Frankenstein-like cluster of typosquatted npm packages that, since early July 2025, have silently harvested credentials from developers across Windows, macOS, and Linux.
What appears at first as an innocent package installation hides a sinister trick: a fake CAPTCHA screen, an invisible postinstall hook, and a 24 MB PyInstaller stealer designed to fingerprint hosts and siphon credentials from system keyrings, browsers, SSH keys, and CI/CD environments.
In total, around 9,900 downloads of these infected packages have already occurred, illustrating once again how the open-source ecosystem can turn into a playground for threat actors when trust meets automation.
Phase 1: The Bait — Typosquatting the npm Ecosystem
The attack begins with typosquatted npm packages uploaded to the official registry, mimicking legitimate and widely used libraries. Among the most notable were deezcord.js, dezcord.js, dizcordjs, etherdjs, ethesjs, ethetsjs, nodemonjs, react-router-dom.js, typescriptjs, and zustand.js.
By exploiting slight misspellings or common developer typing mistakes, attackers lure unsuspecting users installing packages for automation, continuous integration, or development tasks. This technique relies on developers’ trust in npm — an ecosystem known for convenience and speed — and on the habit of reusing commands or scripts without manually verifying every dependency name.
Once these trojanized packages are fetched, the infection begins automatically, setting the stage for deeper compromise.
Phase 2: The Illusion — CAPTCHA and Postinstall Deception
Upon installation, the malware deploys its disguise. A fake CAPTCHA prompt appears on the user’s screen, creating the illusion of legitimacy while concealing malicious operations behind the scenes.
Simultaneously, a postinstall hook — a legitimate npm lifecycle feature — triggers the next phase. This hook spawns a new terminal window, briefly visible before being cleared, and executes an obfuscated script that fingerprints the host. This includes collecting data such as the operating system, environment variables, and network information, all used to tailor the subsequent payload for each system type.
By exploiting a built-in npm mechanism, the attackers ensured the malware would execute silently with every installation, bypassing traditional endpoint and dependency scanners that often overlook postinstall activity.
Phase 3: The Infection — PyInstaller Payload Awakens
The postinstall hook retrieves an obfuscated 24 MB PyInstaller payload from a remote attacker-controlled server. This executable contains the true heart of the operation: a multi-platform information stealer engineered for stealth and persistence.
Once unpacked, the payload begins scanning for sensitive data sources across all major operating systems. On Windows, it accesses browser credential stores and keyrings; on Linux, it targets SSH keys and configuration files; and on macOS, it collects session cookies and authentication tokens from system libraries.
The stealer compresses the data — including GitHub tokens, CI/CD configs, browser cookies, passwords, SSH keys, and corporate secrets — into an archive before exfiltrating it to a command-and-control server.
Its modular design allows the attackers to adjust the payload remotely, suggesting a broader infrastructure aimed at continuous data harvesting and supply-chain infiltration.
Phase 4: The Spread — Cross-Platform and Persistent
This operation’s true sophistication lies in its cross-platform adaptability. Unlike traditional infostealers that focus on one OS, this malware dynamically adjusts based on the detected environment, ensuring success whether running on a developer workstation, a cloud-based build VM, or a CI/CD runner.
Such flexibility allows attackers to infiltrate entire software pipelines, capturing API keys, repository credentials, and deployment tokens that can be reused for lateral movement or further supply-chain poisoning.
The infection chain’s stealth — masked behind npm’s normal behavior — makes detection nearly impossible without explicit monitoring of lifecycle scripts and network anomalies during package installations.
Phase 5: The Fallout — Lessons from the Laboratory
The campaign demonstrates the fragility of modern open-source ecosystems where automation, trust, and convenience intersect. npm’s flexibility is both its greatest strength and its weakest point: lifecycle hooks like postinstall are powerful, yet easily abused.
The use of fake CAPTCHA windows, obfuscated PyInstaller binaries, and cross-platform targeting reveals a level of technical maturity uncommon in typical npm malware. More importantly, the campaign’s design shows a deep understanding of developer behavior — from rapid package installations to dependency reuse across environments — turning speed into vulnerability.
To defend against such attacks, organizations must fortify their development environments with strict hygiene and visibility controls:
Install only vetted packages from trusted maintainers.
Disable lifecycle scripts (like postinstall) by default where unnecessary.
Isolate npm installations in sandboxed or containerized environments.
Block remote fetches from untrusted external domains.
Monitor postinstall activity for unexpected terminal spawns or outbound connections.
Rotate and restrict tokens, especially those stored in local or CI environments.
Deploy SCA and EDR tools capable of detecting remote dependencies and runtime execution anomalies.
The CAPTCHA npm creature may have been stitched together from fragments of popular libraries, but its method is all too human: exploiting haste, trust, and routine.
As the open-source world continues to grow, security awareness must evolve with it — because in the wrong repository, even a single misplaced letter can awaken a monster.
The Hacker News
Comentarios