Malicious npm Packages Using Typosquatting and Payload Obfuscation
Threat researchers reported an npm supply-chain attack in which a typosquatted package (buildrunner-dev) delivered Pulsar RAT via a multi-stage Windows infection chain. The package executed a script that fetched a large, heavily obfuscated batch file (packageloader.bat) containing mostly “noise” to evade static detection, performed security-product checks (including ESET, Malwarebytes, and F-Secure), established persistence by copying itself as protect.bat into a hidden folder, and attempted privilege escalation/UAC bypass using fodhelper.exe.
Separate supply-chain reporting highlighted how package-name deception is evolving beyond human typos into “slopsquatting” (AI/hallucination squatting), where attackers register package names that LLMs commonly invent and then rely on developers installing them on AI recommendation. Documented tradecraft includes malicious postinstall scripts to exfiltrate secrets from developer environments (API keys, cloud tokens, npm auth tokens) and the use of URL-based dependencies to fetch external payloads at install time, allowing the published package to appear benign to naive scanners.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Further reporting reveals buildrunner-dev used PNG-hosted staged payloads
Subsequent reporting added that multiple PNGs hosted on ImgBB carried an AMSI-bypass script, a compressed .NET loader, and a steganographic image used as a live C2 channel for on-demand encrypted Pulsar RAT delivery.
Researchers detail steganographic Pulsar RAT delivery via npm
Analysis showed 'buildrunner-dev' used a postinstall chain to fetch an obfuscated batch loader, establish persistence, attempt UAC bypass with fodhelper.exe, extract hidden code from PNG images, and inject Pulsar RAT into a legitimate process.
Aikido publishes slopsquatting research and mitigation guidance
Aikido publicly described 'slopsquatting' as an AI-era evolution of typosquatting, documented real-world examples, and recommended controls such as publisher verification, dependency-tree scanning, and guardrails for autonomous package installation.
Malicious npm package 'buildrunner-dev' is discovered
In February 2026, researchers discovered the npm package 'buildrunner-dev' typosquatting legitimate buildrunner-related packages to target developers through a supply-chain attack.
Malicious npm package 'unused-imports' is confirmed
Researchers identified a malicious npm package named 'unused-imports', commonly confused with the legitimate 'eslint-plugin-unused-imports', as a real-world example of slopsquatting or hallucination-driven package abuse.
Hallucinated npm package 'react-codeshift' propagates via GitHub
The hallucinated npm package name 'react-codeshift' spread through GitHub repositories and continued receiving downloads after the package name was claimed, showing how AI-generated package confusion can persist over time.
Hallucinated PyPI package name 'huggingface-cli' spreads widely
A hallucinated package name, 'huggingface-cli', appeared in AI-generated outputs and was installed broadly enough to accumulate tens of thousands of downloads, illustrating organic spread of non-existent package names into real developer workflows.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Hackers Leverage Steganographic Images to Bypass Anti-Malware Scans and Deploy Malware Payloads
cybersecuritynews.com
Open sourceHackers Hide Pulsar RAT Inside PNG Images in New NPM Supply Chain Attack
hackread.com
Open sourceSlopsquatting: The AI Package Hallucination Attack Already Happening
aikido.dev
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious and Credential-Stealing npm Packages Target Developers via Obfuscation and Typosquatting
Multiple malicious npm packages have been discovered targeting developers by employing advanced obfuscation techniques and typosquatting to mimic popular legitimate packages such as *TypeScript*, *discord.js*, *ethers.js*, *nodemon*, and *Claude Code*. Security researchers revealed that these packages use up to four layers of obfuscation—including eval wrapping, XOR encryption, URL encoding, and control flow manipulation—to evade static analysis and conceal credential-stealing malware. The attack chain often begins with deceptive tactics, such as displaying fake CAPTCHAs, and proceeds to exfiltrate sensitive information like IP addresses and credentials to attacker-controlled servers. In one notable case, a package impersonating the official Anthropic CLI was found to proxy commands and data back to the threat actor, enabling both credential theft and remote command execution. These incidents highlight the persistent risks posed by weak validation and oversight in the npm ecosystem, allowing threat actors to publish lookalike packages that are difficult to distinguish from legitimate ones. The sophisticated payloads not only target local developer environments but can also compromise CI/CD pipelines, amplifying the potential impact. Security experts emphasize the need for improved package metadata validation and greater vigilance among developers to mitigate the risk of supply chain attacks through open-source dependencies.
Mar 21, 2026
Malicious npm Packages Stealing Developer Credentials Across Platforms
Security researchers have uncovered multiple campaigns involving malicious npm packages designed to steal developer credentials and sensitive information from Windows, macOS, and Linux systems. In one operation, ten typosquatted packages impersonated popular libraries such as TypeScript, discord.js, ethers.js, and others, using sophisticated obfuscation, fake CAPTCHA prompts, and postinstall hooks to deploy an information stealer that harvested credentials from system keyrings, browsers, and authentication services. The malware executed in a new terminal window to evade detection and sent stolen data, including IP addresses, to external servers. Another large-scale campaign, dubbed 'PhantomRaven,' involved 126 npm packages and over 86,000 downloads, targeting authentication tokens, CI/CD secrets, and GitHub credentials. These packages leveraged remote dynamic dependencies to fetch and execute payloads during installation, profiling infected devices and exfiltrating secrets for potential supply chain attacks. The attackers employed techniques such as slopsquatting, where AI-generated package recommendations led developers to install non-existent, malicious packages. Some packages impersonated tools from GitLab and Apache, and many remained available on npm at the time of reporting. The campaigns highlight the ongoing risks in the npm ecosystem, with attackers exploiting both user trust and platform weaknesses to compromise developer environments and CI/CD pipelines. Security experts warn that the theft of tokens and credentials could enable further attacks, including the introduction of malicious code into legitimate projects and broader supply chain compromises.
Mar 21, 2026
Malicious open-source packages and developer-targeted supply chain attacks
Security researchers reported multiple **software supply chain** threats targeting developers via public package ecosystems. Tenable analyzed a malicious npm package, **`ambar-src`**, that reached roughly **50,000 downloads** in days before removal; it executed during installation via **malicious `preinstall` behavior**, used evasion techniques, and dropped OS-specific payloads for Windows, Linux, and macOS, with typosquatting assessed as the likely lure (mimicking *`ember-source`*). Separate reporting described a campaign using **malicious NuGet packages** (e.g., **NCryptYo**, **DOMOAuth2_**, **IRAOAuth2.0**, **SimpleWriter_**) that impersonated legitimate .NET libraries, executed code on assembly load, and established local proxying/backdoor behavior to facilitate credential theft and persistence in ASP.NET environments. Additional coverage warned of an npm “worm-like” propagation pattern impacting **CI pipelines and AI coding tools**, reinforcing that developer tooling and build systems are high-risk choke points where a single poisoned dependency can spread quickly across environments. While the broader set of articles also included unrelated breach, ransomware, and policy items, the developer-focused supply chain reporting consistently emphasized that **installation-time execution** and **typosquatting/impersonation** enable compromise even when developers never directly call the malicious code, and that traditional detection can lag (e.g., low initial antivirus detection rates for obfuscated .NET payloads).
Mar 21, 2026