The npm ecosystem faces a sophisticated new threat as ten malicious packages have emerged, each designed to automatically execute during installation and deploy a comprehensive credential harvesting operation.

This attack campaign represents a significant evolution in supply chain compromises, combining multiple layers of obfuscation with cross-platform compatibility to target developers across Windows, Linux, and macOS environments.

The malware employs typosquatting techniques to mimic popular JavaScript libraries, making detection particularly challenging for unsuspecting developers.

Published on July 4, 2025, these packages have remained active for over four months, accumulating more than 9,900 downloads collectively before Socket.dev analysts identified their malicious nature.

The threat actor, operating under the alias andrew_r1 with the email address parvlhonor@gmx[.]com, crafted each package to closely resemble legitimate libraries including discord.js, ethers.js, TypeScript, and other commonly used development dependencies.

This typosquatting approach capitalizes on common spelling mistakes and variations that developers might inadvertently introduce when installing packages.

Each malicious package leverages npm’s postinstall lifecycle hook to execute immediately upon installation, launching in a new terminal window to avoid detection during the installation process.

The malware’s design ensures it runs independently of the npm install command, minimizing the likelihood that developers will notice unusual activity.

The packages include sophisticated platform detection capabilities, automatically identifying the victim’s operating system and deploying the appropriate execution method for Windows command prompts, Linux terminals, or macOS Terminal.app.

The campaign demonstrates advanced technical capabilities through its implementation of four distinct obfuscation layers.

These include a self-decoding eval wrapper that prevents cursory code inspection, XOR decryption with dynamically generated keys based on the decoder function’s source code, URL encoding of payload strings, and control flow obfuscation using switch-case state machines with mixed hexadecimal and octal arithmetic.

This multi-layered approach makes static analysis extremely difficult without full JavaScript evaluation.

Upon successful installation, the malware presents victims with a fake CAPTCHA prompt designed as a social engineering component.

This element serves multiple purposes: making the package appear legitimate, delaying execution to obscure its connection to npm install, requiring user interaction that may bypass automated security scans, and convincing developers they are interacting with a reputable security measure.

Multi-Stage Infection and Credential Harvesting Mechanism

The malware’s infection mechanism operates through a carefully orchestrated multi-stage process that combines deception with sophisticated data extraction capabilities.

Following the fake CAPTCHA presentation, the system performs IP fingerprinting by sending the victim’s address to http://195[.]133[.]79[.]43/get_current_ip, enabling the threat actor to log installations, potentially filter by geographical location, and track security researcher activity.

Once the victim interacts with the CAPTCHA prompt, the malware automatically downloads and executes a 24MB PyInstaller-packaged binary called data_extracter.

This cross-platform information stealer targets multiple credential storage mechanisms across all major operating systems.

The binary includes platform-specific implementations for Linux SecretService D-Bus API and GNOME Keyring, macOS Keychain Services API, and Windows Credential Manager, ensuring comprehensive credential extraction regardless of the victim’s environment.

// Detects platform and spawns new terminal window
const platform = os.platform();
if (platform == 'win32') {
    exec('start cmd /k "node app.js"');
} else if (platform == 'linux') {
    exec('gnome-terminal -- bash -c "node app.js"', (error) => {
        if (error) exec('x-terminal-emulator -e "bash -c \'node app.js\'"');
    });
} else if (platform == 'Darwin') {
    exec(`osascript -e 'tell app "Terminal"
        do script "node '$(pwd)/app.js'"  
    end tell'`, () => {});
}

The data_extracter binary performs extensive file system reconnaissance, systematically scanning for credential stores in browser profile directories, SSH key directories, AWS credentials files, Kubernetes configuration files, and Docker registry credentials.

It targets SQLite databases containing browser cookies and passwords, JSON configuration files with API keys, SSH private keys for Git authentication, and OAuth/JWT tokens that provide long-term access to cloud services and development platforms.

This comprehensive approach ensures the attacker captures not only interactive credentials but also service account credentials and automation keys used in modern development workflows.

Upon completion of credential harvesting, the malware packages all extracted data into a compressed archive that is transmitted back to the threat actor’s command and control server at 195[.]133[.]79[.]43.

The stolen credentials provide immediate access to corporate email systems, cloud infrastructure, internal networks, production databases, and authenticated web applications, while session cookies enable account takeover without triggering password reset notifications.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post 10 Malicious npm Packages with Auto-Run Feature on Install Deploys Multi-Stage Credential Harvester appeared first on Cyber Security News.

The threat landscape continues to evolve as Gunra ransomware emerged in April 2025, establishing itself as a significant threat to organizations worldwide.

This dual-platform attack group has demonstrated a systematic approach to compromising both Windows and Linux environments, making their campaign one of the more noteworthy distributed ransomware operations in recent months.

Organizations across multiple industries and sectors have reported successful infection attempts, with damage cases extending into the Asia-Pacific region, including South Korea.

Gunra operates with a familiar yet effective ransomware model: encrypt critical files on infected systems, exfiltrate sensitive data from compromised organizations, and demand ransom payments with threats of public disclosure if demands are not met.

What distinguishes Gunra from other ransomware operators is its deliberate development of platform-specific variants. The group distributes their malware in two distinct formats: executable files for Windows environments and ELF binaries for Linux systems.

This strategic approach allows them to maximize their attack surface and penetrate diverse infrastructure environments that many organizations maintain.

ASEC analysts identified that the Gunra ransomware operates through a command-line interface requiring multiple parameters to execute its encryption routines.

The malware performs validity checks on provided arguments before initializing its main execution routine, ensuring all necessary parameters are present and valid.

This structured approach demonstrates the sophistication and careful engineering behind the campaign.

Cryptographic Weakness and Decryption Vulnerability

The technical analysis reveals a critical vulnerability in the ELF version of Gunra ransomware that fundamentally weakens its encryption scheme.

ASEC researchers discovered that the malware utilizes the ChaCha20 encryption algorithm with a cryptographically insecure random number generation function.

The vulnerability stems from the seed generation process, which relies on the time() function to create predictable values for the rand() function.

The flaw becomes apparent when examining how the 32-byte encryption key and 12-byte nonce values are generated. When multiple encryption iterations occur within extremely short time intervals, the seed value remains identical across different execution threads.

This causes the rand() function to produce identical byte sequences, resulting in encryption keys and nonce arrays containing repeated byte patterns.

Consequently, the ChaCha20 keys become cryptographically weak and susceptible to brute-force attacks across 256 possible byte values.

This cryptographic oversight enables file decryption with high probability using brute-force techniques based on byte values ranging from 0x00 to 0xFF.

In stark contrast, the Windows EXE version implements ChaCha8 encryption with key generation through the CryptGenRandom() API, employing cryptographically secure random number generation that makes decryption virtually impossible.

This disparity between implementations highlights the varying security postures across different platforms.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Gunra Ransomware Leveraging Attacking Windows and Linux Systems with Two Encryption Methods appeared first on Cyber Security News.

A new remote access trojan called Atroposia has emerged as one of the most concerning threats in the cybercriminal underground, offering an unprecedented combination of stealth capabilities and attack features.

This modular malware operates as a turnkey criminal toolkit designed specifically to lower the technical barrier for threat actors of varying skill levels.

Priced aggressively at approximately $200 monthly or $900 for six months, Atroposia democratizes sophisticated cyberattacks in ways previously reserved for advanced persistent threat groups.

The malware represents a troubling trend in how modern cybercriminals bundle multiple offensive capabilities into user-friendly platforms.

Similar to contemporaneous tools like SpamGPT and MatrixPDF, Atroposia packages hidden remote desktop takeover, credential harvesting, cryptocurrency wallet theft, DNS hijacking, and vulnerability scanning alongside encrypted command-and-control communications.

Its intuitive control panel and plugin builder architecture mean even operators with minimal technical expertise can orchestrate complex intrusions against enterprise environments.

The threat landscape shifted notably when Varonis researchers identified Atroposia circulating across underground forums.

Varonis analysts noted the malware automatically escalates privileges through User Access Control bypass mechanisms and installs multiple persistence techniques to maintain access across system reboots.

These capabilities allow attackers to blend seamlessly into compromised systems, evade antivirus software, and maintain long-term presence without triggering security alerts.

Hidden Remote Desktop Access and System Persistence

Atroposia’s most insidious feature centers on its hidden remote desktop protocol implementation, branded as HRDP Connect.

This functionality spawns covert desktop sessions in the background, creating invisible shadow logins that grant attackers complete system interaction capabilities.

When attackers exploit this feature, victims see no on-screen indication of remote control, allowing intruders to surveil activities, access sensitive documents, manipulate workflows, and piggyback on authenticated sessions without detection.

The legitimate user remains entirely unaware of the intrusion occurring in real time.

The hidden RDP capability bypasses traditional remote access monitoring systems since it doesn’t generate standard remote desktop notifications or logged-in user prompts.

Attackers can conduct espionage and data theft activities while operating under the guise of legitimate user sessions.

Combined with Atroposia’s dedicated file manager providing complete remote file system access, operators can exfiltrate sensitive data through fileless techniques that minimize on-disk footprints and evade data loss prevention systems.

The malware’s Grabber module can automatically hunt files by extension or keyword, compress them into password-protected archives, and extract data entirely in memory, leaving minimal forensic traces.

The emergence of Atroposia exemplifies how cybercrime continues evolving into a service industry where sophisticated attack capabilities no longer depend on threat actor expertise but rather financial access and market availability.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Atroposia RAT with Stealthy Remote Desktop, Vulnerability Scanner and Persistence Mechanisms appeared first on Cyber Security News.