Malicious NPM Packages Target PayPal Users

In a recent discovery, Fortinet researchers uncovered multiple malicious NPM packages designed to steal sensitive information from unsuspecting PayPal users. These malicious packages were uploaded to the repository in early March by a threat actor known as tommyboy_h1 and tommyboy_h2, posing a significant risk to the security of developers who use them.

The attack relies on the fact that using PayPal-related names for NPM packages makes it easier for attackers to avoid detection. By including "PayPal" in the name of the malicious packages, such as oauth2-paypal and buttonfactoryserv-paypal, the attackers create a false sense of legitimacy, tricking developers into installing them.

The code used in these malicious packages collects and exfiltrates system data, including usernames and directory paths. This information can then be used to target PayPal accounts or be sold for fraudulent purposes. The attack also uses a preinstall hook to run hidden scripts, steal system info, obfuscate data, and exfiltrate it to attacker-controlled servers for future attacks.

Fortinet researchers recommend that developers watch out for fake PayPal-related packages, check network logs for odd connections, remove threats, update credentials, and stay cautious when installing packages. The same attacker likely created the tommyboy_h1 and tommyboy_h2 malicious packages to target PayPal users, suggesting a coordinated effort to compromise security.

“The authors of tommyboy_h1 and tommyboy_h2 are likely the same person, publishing multiple malicious packages in a short time. We suspect that the same author created these packages to target PayPal users,” concludes the report. “We urge the public to be cautious when downloading packages and to ensure they are from trusted sources to avoid falling victim to such attacks.”

Prevention Tips

  • Watch out for fake PayPal-related packages
  • Check network logs for odd connections
  • Remove threats promptly
  • Update credentials regularly
  • Be cautious when installing packages

Stay safe online by staying informed and taking proactive steps to protect yourself from such attacks. Follow us on Twitter: @securityaffairs and Facebook, and join the conversation on Mastodon (SecurityAffairs – hacking, malicious NPM packages) for the latest security news and updates.