Datadog Security Research has uncovered a significant supply-chain attack targeting Windows developers via the npm package registry.
The threat activity cluster, tracked as MUT-4831, deployed 17 malicious npm packages containing 23 releases designed to deliver Vidar infostealer malware via postinstall scripts.
This marks the first known instance of Vidar being distributed via npm packages, expanding the threat landscape for both individual developers and enterprise organizations that rely on open-source dependencies.
The campaign, detected through Datadog’s GuardDog static analyzer on October 21, 2025, masquerades packages as benign software development kits, including fake Telegram bot helpers, icon libraries, and forked versions of legitimate projects like Cursor and React.
The packages present legitimate-looking profiles on npm’s public registry while harboring malicious payloads. All identified packages were published by two recently created npm accounts, aartje and saliii229911, before both accounts were subsequently banned by npm.
The malicious packages remained live for approximately two weeks, accumulating at least 2,240 downloads before removal.
Attack Chain and Technical Execution
The attack chain begins with a post-install script automatically executed during package installation, a common vector for npm-based malware.
The script downloads an encrypted ZIP archive from the bullet host.]cloud domain to the system’s temporary directory, then decrypts and extracts the payload using hardcoded credentials.
A PE executable named bridle.exe, identified as a Go-compiled variant of Vidar v2, is subsequently executed using silent process-spawning techniques designed to evade user detection.
The Vidar payload then establishes command-and-control connections through hardcoded Telegram and Steam accounts, where threat actors regularly update active C2 infrastructure domains.
Once executed, Vidar systematically collects sensitive data, including browser credentials, cookies, cryptocurrency wallets, and system files.
The malware packages stolen information into encrypted archives for exfiltration before deleting its traces from the victim system, complicating forensic investigation and incident response efforts.
Some packages used variations with PowerShell-based postinstall scripts embedded directly in package.json, delegating extraction to Node.js helper scripts.
This implementation diversification likely represents an attempt to evade automated detection mechanisms and improve persistence across different execution environments.
Implications and Defense Strategies
The campaign highlights npm’s continued vulnerability as an attack vector for threat actors seeking direct access to developer systems and organizational infrastructure.
Organizations using affected packages face potential credential theft, wallet compromise, and lateral movement opportunities for attackers. The single most downloaded malicious package, react-icon-pkg, reached 503 unique downloads before removal, indicating substantial exposure.
Organizations should implement defensive measures, including dependency pinning to known-good versions, treating package installations as security-relevant events, and deploying software composition analysis tools.
Datadog’s Supply-Chain Firewall blocks known malicious packages before installation, while its SCA capabilities enable inventory verification of potentially compromised dependencies across infrastructure.
Immediate actions for impacted systems include credential rotation, application isolation, and comprehensive compromise assessment to identify potential lateral movement or secondary infections.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
