Microsoft Threat Intelligence discovered two compromised npm packages distributing remote access trojan malware targeting developers and cryptocurrency users. The malicious packages, identified as utils-terminal@3.2.1 and logger-active@3.2.1, steal keystrokes, screenshots, and cryptocurrency wallet credentials from infected systems. Attackers used Hugging Face repositories to exfiltrate stolen information, making detection harder for security teams. The campaign targets developer workstations containing browser-based crypto wallets, private keys, exchange API credentials, and cloud service credentials. This discovery forms part of ongoing software supply-chain risks affecting developers and crypto users storing sensitive assets on development machines.
Microsoft Identifies Malicious npm Packages Distributing RAT Malware
Microsoft warned that cybercriminals are targeting developers and cryptocurrency users through malicious software hidden inside public npm packages. According to Microsoft Threat Intelligence, two compromised npm packages, identified as utils-terminal@3.2.1 and logger-active@3.2.1, were discovered distributing a remote access trojan (RAT) capable of stealing sensitive information from infected systems.
The malicious packages were reportedly designed to collect a wide range of data, including keystrokes, screenshots, cryptocurrency wallet credentials, and other confidential information. Since npm is one of the most widely used software registries for JavaScript developers, the threat has the potential to impact a large number of users who unknowingly install compromised dependencies while building applications or web services.
Attackers Route Stolen Data Through Hugging Face Platform
Microsoft explained that the attackers used Hugging Face, a popular platform for artificial intelligence and machine learning projects, as part of their data exfiltration process. By routing stolen information through a trusted platform, the malicious activity may appear less suspicious than communications with traditional command-and-control servers, making detection more difficult for security teams.
Malware Targets Crypto Wallets and Developer Credentials
The threat is particularly concerning for crypto developers and investors. Developer workstations often contain browser-based crypto wallets, private keys, seed phrase backups, exchange API credentials, GitHub access tokens, and cloud service credentials. If attackers gain access to these assets, they could potentially compromise cryptocurrency holdings, development environments, trading systems, and source code repositories.
Campaign Connects to Previous Supply-Chain Attacks
Microsoft's findings also align with a trend of attacks targeting software supply chains. In May, security researchers uncovered the TrapDoor malware campaign, which spread through dozens of malicious packages across npm, PyPI, and Rust repositories. That operation specifically targeted crypto and artificial intelligence developers by attempting to steal wallet data, cloud credentials, API keys, and SSH access.
The latest warning also follows another recent report from Microsoft involving cryptojacking malware. In that campaign, attackers allegedly used poisoned search results and manipulated AI chatbot interactions to direct users toward fake software downloads. Once installed, the malicious programs leveraged system resources to mine cryptocurrency without the victims' knowledge.
Security Experts Recommend Credential Rotation and Package Review
Security experts recommend that developers carefully review newly installed packages, remove suspicious dependencies, rotate potentially exposed credentials, and monitor wallet activity for unauthorized transactions. Crypto users are also advised to avoid storing seed phrases on internet-connected devices and to thoroughly verify all wallet transactions before approving them.
FAQ
What malicious npm packages did Microsoft discover?
Microsoft Threat Intelligence identified two compromised npm packages: utils-terminal@3.2.1 and logger-active@3.2.1. These packages distribute remote access trojan malware capable of stealing keystrokes, screenshots, cryptocurrency wallet credentials, and other confidential information from infected systems.
How do attackers exfiltrate stolen data from infected systems?
Attackers used Hugging Face, a popular platform for artificial intelligence and machine learning projects, as part of their data exfiltration process. By routing stolen information through a trusted platform, the malicious activity appears less suspicious than communications with traditional command-and-control servers, making detection more difficult for security teams.
What security measures do experts recommend for developers?
Security experts recommend that developers carefully review newly installed packages, remove suspicious dependencies, rotate potentially exposed credentials, and monitor wallet activity for unauthorized transactions. Crypto users are advised to avoid storing seed phrases on internet-connected devices and to thoroughly verify all wallet transactions before approving them.
