data_extracter
data_extracter is a cross-platform credential-stealing binary delivered in a malicious npm supply-chain campaign targeting developer machines on Windows, Linux, and macOS. The referenced packages execute automatically during npm install via a postinstall script, display a fake CAPTCHA, fingerprint the victim system, and then download a roughly 24 MB binary named data_extracter. The malware is described as a PyInstaller-packaged Python application containing its own runtime and resources so it can execute even if Python is not installed on the victim host. Its capabilities include extracting credentials and secrets from multiple sources, including browser SQLite databases holding cookies and saved passwords, system keyrings such as Windows Credential Manager, macOS Keychain, and Linux SecretService, as well as SSH keys, tokens, API keys, and other service credentials stored in configuration files. The stolen data is then exfiltrated to attacker-controlled infrastructure. High-confidence targeting in the content is developer environments and developer credentials/CI secrets exposed through malicious npm packages; no specific threat actor attribution or concrete IOC values are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Stealth
1 technique
Stealth
Credential Access
5 techniques
Credential Access
The infostealer also leverages specialized libraries for extracting OAuth tokens, JSON Web Tokens (JWTs) and LaunchPad credentials...
...and configuration files containing API keys and service credentials.
The application is a credential stealer designed to extract credentials from multiple locations including system keyrings (Windows Credential Manager, macOS Keychain and Linux SecretService), browser SQLite databases containing cookies and passwords and configuration files containing API keys and service credentials.
Discovery
1 technique
Discovery
Command and Control
1 technique
Command and Control
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Credential-stealing malware distributed via malicious npm packages, designed to extract credentials from system keyrings, browsers, and configuration files, with a focus on developer environments and CI/CD pipelines.
Cross-platform credential stealer distributed via typosquatted npm packages, exfiltrating browser passwords, SSH keys, and other secrets.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.