- Ten typosquatted NPM packages delivered information-stealing malware to nearly 10,000 systems.
- The malware targeted system keyrings, bypassing application-level security to steal decrypted credentials.
- Affected users should revoke their credentials, rebuild systems, and enable multi-factor authentication.
Nearly a dozen malicious NPM packages, distributing dangerous information-stealing malware, were downloaded approximately 10,000 times before being spotted and removed.
Recently, Socket security researchers found 10 packages on npm targeting software developers, particularly those who use the Node Package Manager (npm) ecosystem to install JavaScript and Node.js libraries.
These were uploaded in early July 2025 and, as their names show, are mostly typosquatted variants of popular packages, such as TypeScript, discord.js, ethers.js and others. In total, they were downloaded 9,900 times before being removed from the platform.
How to stay safe
Here is the full list:
deezcord.js
dezcord.js
dizcordjs
etherdjs
ethesjs
ethetsjs
nodemonjs
react-router-dom.js
typedjs
zustand.js
Infostealers were designed to harvest credentials from system keyrings, browsers, and authentication services. They have worked on all major platforms including Windows, Linux and macOS.
“The malware uses four layers of obfuscation to hide its payload, displays a fake CAPTCHA to appear legitimate, fingerprints victims by IP address, and downloads a 24MB information stealer packaged in PyInstaller,” explained Kush Pandya, security researcher at Socket.
System keyrings are a particularly important target, Pandya explained, because they store credentials for critical services such as email clients, cloud storage sync tools, password managers, SSH passphrases, database connection strings and other applications that integrate with the operating system’s credentials store.
“By directly targeting the keyring, the malware bypasses application-level security and harvests stored credentials in their decrypted form. These credentials provide immediate access to corporate email, file storage, internal networks, and production databases.”
Obviously, if you have installed any of the packages mentioned above, you should consider your system to be entirely compromised. To mitigate the risk, disconnect the affected system from the Internet, revoke all potentially exposed credentials (including SSH keys, API tokens, GitHub or GitLab access tokens, cloud provider keys (AWS, GCP, Azure), npm tokens, and any credentials stored in browsers or password managers), wipe and rebuild the infected system, change all passwords, and audit your dependencies npm and your lock files.
Finally, you should review the system and network logs for any suspicious activity or outgoing connections to unknown domains, and enable multi-factor authentication on all accounts.
Via Hacker news
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
