EXECUTIVE SUMMARY:
A recent campaign involved the publication of several malicious npm packages disguised as legitimate open-source modules. These packages appeared to offer common functionality, such as SDK helpers or utility components, but were intentionally designed to deliver the Vidar infostealer once installed. By exploiting the automated behavior of npm’s post-install scripts, the attackers ensured that the payload executed immediately after the user added the package to their project. This approach took advantage of a critical trust gap within the open-source ecosystem — developers often rely on community-maintained packages without verifying their integrity. The campaign demonstrates how easily threat actors can embed malware within public registries and distribute it at scale. It also highlights the increasing use of software supply-chain compromise as a method for delivering information-stealing malware, marking a shift from traditional phishing or standalone infection methods toward embedded, developer-targeted infiltration.
Once installed, the malicious npm packages initiated an automated script that downloaded an encrypted archive from an external source, extracted a Windows binary, and executed it silently. The extracted binary was confirmed to be Vidar, a well-known infostealer that collects sensitive data from infected systems. Vidar specifically targets stored credentials in browsers, cookies, saved sessions, cryptocurrency wallets, and other local files containing personal or financial information. After harvesting the data, it compresses and exfiltrates it to a remote controller, giving the attacker direct access to compromised accounts. The campaign leveraged newly created npm publisher accounts with no prior activity, suggesting they were purpose-built for distribution. Each release used similar obfuscation and payload delivery methods, allowing the malicious code to bypass quick inspections and execute seamlessly during the installation process. This setup enabled threat actors to reach unsuspecting developers directly, turning legitimate dependency management into a pathway for credential theft.
This incident underscores the growing threat of Vidar being distributed through software supply-chain attacks and highlights the risks inherent in using public package registries like npm. Because these ecosystems are open and widely trusted, they provide an attractive route for attackers to deliver hidden payloads through otherwise ordinary dependencies. Developers and organizations should implement stricter dependency management practices, including version pinning, disabling automatic post-install script execution, and using security tools to scan for malicious indicators in packages before installation. Network monitoring during build and installation phases is also vital to detect any unexpected file downloads or background activity. Registry maintainers, on their part, should enforce stricter publishing rules and automated detection for suspicious accounts. Ultimately, the campaign serves as a warning that even a small or routine dependency can conceal potent threats like Vidar, emphasizing the need for continuous vigilance and layered defenses to secure the modern software supply chain.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Resource Development | T1587.001 | Develop Capabilities | Malware |
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Persistence | T1547 | Boot or Logon Autostart Execution | — |
| Defence Evasion | T1027 | Obfuscated Files or Information | — |
| Credential Access | T1555 | Credentials from Password Stores | — |
| Discovery | T1082 | System Information Discovery | — |
| Collection | T1119 | Automated Collection | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
| Impact | T1530 | Data from Cloud Storage | — |
REFERENCES:
The following reports contain further technical details: