A new software supply-chain attack has been uncovered involving ten malicious npm packages designed to steal developer credentials across Windows, macOS, and Linux systems. These packages impersonate well-known open-source libraries such as TypeScript, discord.js, ethers.js, nodemon, react-router-dom, and zustand, aiming to infiltrate developer workflows and CI/CD environments.
Once installed, the malware displays a fake CAPTCHA prompt, fingerprints the victim’s host, and downloads a 24 MB cross-platform information-stealer from the remote command-and-control (C2) server 195.133.79.43.
Confirmed Malicious Packages
| Package Name | Legitimate Library Impersonated | Notes |
| nodejs-devtool | Node.js | Fake developer utility containing payload installer |
| typescript-tools-dev | TypeScript | Mimics TypeScript support library |
| discord-bot-client | discord.js | Targets developers of Discord bots |
| react-router-dom-pro | react-router-dom | Injected fake router build |
| ethers-connect | ethers.js | Wallet integration spoof |
| zustand-dev | zustand | Malicious state-management clone |
| nodemon-core | nodemon | Fake hot-reload module |
| api-express-core | Express | Pretends to add Express helpers |
| vue-dev-server-tools | Vue.js | Malicious front-end helper |
| snyk-security-tools | snyk | Impersonates a popular security scanner |
Impacted Ecosystem
- Developers and organizations using npm or automated package pipelines.
- Build systems pulling dependencies via package.json without integrity checks.
- Potential compromise of private repositories, build credentials, and cloud access tokens.
Mitigation Recommendations
Audit npm installations using npm list or npm audit to confirm none of the malicious packages are present. If any are detected, please proceed with the following steps:
- Uninstall and clean systems affected by any of the packages listed.
- Rotate credentials: SSH keys, npm tokens, and repository access tokens.
- Implement package-signature enforcement (–ignore-scripts for untrusted sources).
- Integrate dependency scanning into CI/CD pipelines.
- Monitor outbound traffic for connections to 195.133.79.43 or related indicators.
Stay Safe. Stay Secure.
OP Innovate Research Team
