Security researchers have disclosed a campaign of typosquatted npm packages that automatically execute on install and ultimately deliver a cross-platform credential stealer. According to researchers, the malicious packages were first published on July 4, 2025, remained live for over four months, and together collected more than 9,900 downloads before Socket petitioned the npm registry for removal.
First seen on thecyberexpress.com
Jump to article: thecyberexpress.com/typosquatted-npm-packages-credential-stealer/
