Supply-Chain Attack on Windows Developers: Malicious npm Packages Deliver Vidar Infostealer

Listen to this Post

Featured Image
The world of software development faces a new and alarming threat. Datadog Security Research has uncovered a sophisticated supply-chain attack targeting Windows developers through the popular npm package registry. This campaign, identified as MUT-4831, marks the first known instance of Vidar infostealer malware being distributed via npm packages, highlighting a growing risk for both individual developers and enterprise environments that depend heavily on open-source software. By disguising malware as legitimate development tools, threat actors are exploiting trust within the developer ecosystem to gain access to sensitive data and systems.

Malicious npm Packages and Campaign Overview

Datadog researchers identified 17 malicious npm packages, encompassing 23 releases, all designed to deliver Vidar infostealer malware. The attack was detected using Datadog’s GuardDog static analyzer on October 21, 2025. The packages masqueraded as benign development tools, including fake Telegram bot helpers, icon libraries, and forked versions of popular frameworks like Cursor and React. All packages were published by two newly created npm accounts, aartje and saliii229911, which were later banned by npm after the malicious activity was identified. Despite their brief two-week lifespan, these packages accumulated over 2,240 downloads, exposing a significant number of developers to potential compromise.

Technical Execution of the Attack

The attack leveraged npm’s post-install scripts, automatically executed when a package is installed. These scripts downloaded encrypted ZIP archives from a bullet host to the system’s temporary directory, decrypted them with hardcoded credentials, and executed a Go-compiled variant of Vidar v2 called bridle.exe. The malware employed silent process-spawning techniques to avoid detection while establishing command-and-control connections via hardcoded Telegram and Steam accounts. Once active, Vidar harvested sensitive data, including browser credentials, cookies, cryptocurrency wallets, and system files. The stolen data was packaged into encrypted archives for exfiltration, after which the malware removed traces of its activity to hinder forensic investigation.

Some packages also incorporated PowerShell-based postinstall scripts directly within the package.json file, delegating extraction tasks to Node.js helper scripts. This variety in execution methods likely reflects the attackers’ efforts to bypass automated detection and maintain persistence across diverse environments.

Implications for Developers and Organizations

This campaign underscores the persistent vulnerability of npm as a distribution vector for malware targeting developers and enterprise systems. Organizations using affected packages risk credential theft, wallet compromise, and potential lateral movement by attackers. The most downloaded malicious package, react-icon-pkg, reached 503 unique downloads before removal, illustrating the real exposure threat.

Defensive Measures

Organizations are urged to implement strong security practices for dependency management, including dependency pinning to known-good versions and treating package installations as security-relevant events. Software composition analysis (SCA) tools can help identify compromised dependencies before they impact infrastructure. Datadog’s Supply-Chain Firewall provides real-time blocking of known malicious packages and allows continuous verification of dependency inventories. For systems potentially impacted, immediate actions should include credential rotation, application isolation, and thorough compromise assessment to identify lateral movement or secondary infections.

What Undercode Say:

The MUT-4831 campaign represents a critical evolution in supply-chain attacks targeting the developer ecosystem. By leveraging npm’s inherent trust model and integrating malware directly into widely used libraries, threat actors can achieve high-impact compromise with minimal effort. Developers often assume that popular packages are safe, yet this incident shows that even recently created accounts can introduce high-risk payloads that bypass superficial scrutiny.

From a technical perspective, the use of diverse execution vectors, including postinstall scripts in Node.js and PowerShell variations, indicates a sophisticated understanding of evasion techniques. This implies attackers are not only targeting individual developer workstations but also aiming at enterprise networks where npm dependencies are widely integrated. The focus on Vidar infostealer is especially concerning given its capability to harvest both system and browser-level credentials, cryptocurrency wallets, and other sensitive artifacts. Such capabilities increase the potential for secondary attacks, including ransomware deployment or targeted espionage.

Enterprises must view npm package installation as a high-risk activity. Automated detection alone is insufficient; integrating behavioral analysis, anomaly detection, and network segmentation are essential steps to mitigate these risks. Additionally, proactive threat intelligence sharing between organizations can help reduce exposure time for newly discovered malicious packages. Datadog’s multi-layered defense, combining static analysis, SCA, and firewalling, provides a practical blueprint for minimizing supply-chain risk, yet the responsibility also falls on developers to maintain vigilance during dependency adoption.

Ultimately, the MUT-4831 campaign serves as a wake-up call: open-source convenience must be balanced with rigorous security hygiene. Trusting packages solely based on registry popularity or familiar naming conventions is no longer safe. Organizations must adopt a layered, proactive approach to package security, ensuring that every dependency is scrutinized before deployment.

Fact Checker Results:

✅ 17 malicious npm packages detected.

✅ Campaign linked to Vidar infostealer malware.

❌ No evidence of long-term widespread exploitation beyond the initial two-week period.

Prediction:

📊 Threat actors will increasingly target open-source package registries with sophisticated malware campaigns.
📊 Developer environments will become primary vectors for credential and cryptocurrency theft.
📊 Expect the emergence of automated defense tools integrated into CI/CD pipelines to preemptively flag high-risk packages.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.reddit.com/r/AskReddit
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon