Cybersecurity researchers have discovered a set of 10 malicious npm packages that are designed to deliver an information stealer targeting Windows, Linux, and macOS systems.

"The malware uses four layers of obfuscation to hide its payload, displays a fake CAPTCHA to appear legitimate, fingerprints victims by IP address, and downloads a 24MB PyInstaller-packaged information stealer that harvests credentials from system keyrings, browsers, and authentication services across Windows, Linux, and macOS," Socket security researcher Kush Pandya said.

The npm packages were uploaded to the registry on July 4, 2025, and accumulated over 9,900 downloads collectively:

deezcord.js dezcord.js dizcordjs etherdjs ethesjs ethetsjs nodemonjs react-router-dom.js typescriptjs zustand.js