Post

Surveillance Malware Hidden in npm and PyPI Packages Targets Developers with Keyloggers, Webcam Capture, and Credential Theft

Posted
By ictsec.pl
1 min read

The Socket Threat Research Team has uncovered four malicious packages: three on the npm registry and one on the Python Package Index (PyPI), all designed as delivery mechanisms for surveillance malware. Collectively, these four packages have over 56,000 downloads. As of this publication, the packages remain live on npm and PyPI. We have petitioned the respective registries for their removal.

Once installed, these malicious packages covertly integrate surveillance functionality into the developer’s environment, enabling keylogging, screen capture, fingerprinting, webcam access, and credential theft. These behaviors fall under the category of surveillance malware, malicious software that covertly monitors and captures user activity and transmits it to external infrastructure without user consent. While often overlapping with spyware, the term surveillance malware more precisely emphasizes the covert observation and data exfiltration tactics seen in the context of malicious dependencies.

Details of the Malicious Packages:

  • vfunctions (PyPI) — A multi-vector surveillance platform that captures webcam images, replicates itself across Python files, and copies to Windows startup for persistence.
  • dpsdatahub (npm) — A hidden browser-based keylogger that captures user input and session data via iframe injection and exfiltrates to a command and control (C2) endpoint.
  • nodejs-backpack (npm) — A multi-purpose surveillance package that collects both screenshots and extensive system and user metadata with added obfuscation to avoid detection and a deceptive utility wrapper to mask its true intent.
  • m0m0x01d (npm) — A surveillance package that monitors credential input fields, logs keystrokes in real time, and exfiltrates sensitive data via iframe injection. It uses Burp Collaborator as its C2 exfiltration channel, blending surveillance traffic with legitimate security testing infrastructure to evade detection.

To read the complete article see: Surveillance Malware Hidden in npm and PyPI Packages.

MALWARE
NPM PYPI SURVEILLANCE MALWARE KEYLOGGERS CREDENTIAL THEFT
This post is licensed under CC BY 4.0 by the author.