FortiGuard Labs, Fortinet’s AI-driven threat intelligence arm, has uncovered a series of malicious NPM packages designed to steal sensitive information from developers and target PayPal users. Detected between March 5 and March 14, 2025, these packages were published by a threat actor using the aliases “tommyboy_h1” and “tommyboy_h2,” believed to be the same individual. The malicious packages, including names like oauth2-paypal and buttonfactoryserv-paypal, exploit PayPal’s trusted brand to deceive developers into installing them. FortiGuard Labs’ analysis reveals that the script encodes stolen data into hexadecimal format, obfuscates it by splitting and truncating directory paths, and sends it to attacker-controlled servers via dynamically generated URLs. Once installed, they deploy a preinstall hook that automatically runs a malicious script, collecting system data such as usernames, hostnames, and directory paths without user awareness. The authors of tommyboy_h1 and tommyboy_h2 are likely the same person, publishing multiple malicious packages in a short time. The campaign’s scale is notable, with the threat actor publishing numerous packages in a short timeframe. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The packages target small to medium-sized businesses and developers, exploiting the open-source ecosystem’s trust model. By mimicking legitimate PayPal-related functionality, the packages create a false sense of legitimacy, increasing their chances of evading detection. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 12 Apr 2025 09:15:17 +0000