Datadog Security Research has uncovered 17 npm packages (spanning 23 releases) laced with downloader malware that delivers the Vidar infostealer on Windows systems.
This campaign, attributed to threat cluster MUT-4831, marks the first publicly known instance of Vidar malware distributed through npm packages.
These malicious packages masqueraded as legitimate developer tools such as Telegram bot libraries, React forks, and icon sets while silently executing post-installation scripts to download and launch hidden malware.
The threat actors operated under the npm accounts aartje and saliii229911, which Datadog confirmed have since been banned. Collectively, the packages accumulated over 2,200 downloads before removal.
Attack Chain and Post-install Exploitation
The attack chain relied on npm’s postinstall script, which runs automatically when a package is installed.
Datadog’s GuardDog static analysis tool initially flagged the package [email protected] on October 21, identifying multiple malicious indicators, including silent execution of external binaries and suspicious remote URLs.
Upon installation, the dependencies.js script downloaded an encrypted ZIP from bullethost[.]cloud, extracted its contents with a hardcoded password, and executed a Windows PE file named bridle.exe. This executable was verified via its SHA-256 hash to be Vidar malware.
Several related packages used a variant approach, embedding a PowerShell downloader directly within package.json to achieve the same outcome.
Vidar’s Role in the Infection Chain
Vidar is a well-known infostealer initially derived from the Arkei Trojan. It harvests browser credentials, cookies, cryptocurrency wallets, and sensitive local files, then exfiltrates the data to command-and-control infrastructure.
The MUT-4831 variant analyzed by Datadog appears to be compiled in Go and leverages Telegram and Steam accounts for dynamic C2 resolution, referencing updated C2 domains hidden within account descriptions.
Earlier Vidar campaigns relied on phishing and malicious documents, but this is the first time it has surfaced via the npm ecosystem, demonstrating the expanding scope of software supply-chain compromise as a viable infection vector.
Mitigation and Defensive Measures
Datadog recommends immediate dependency audits using its Software Composition Analysis tools or similar scanners.
Developers should verify their environment against known malicious packages such as react-icon-pkg, custom-telegram-bot-api, and cursor-ai-fork. For proactive protection, Datadog’s Supply-Chain Firewall can prevent the installation of untrusted or flagged packages before they enter the environment.
As the npm registry continues to face organized abuse, developers are urged to treat each package installation as a potential attack vector. Pinning dependencies and routinely auditing for compromise remain essential steps in maintaining supply-chain integrity.
Indicators of compromise
C2 domains and URLs
| Domain | Comment |
|---|---|
| https://upload.bullethost[.]cloud/download/68f55d7834645ddd64ba3e3e | Download link for encrypted ZIP file containing Vidar second-stage payload |
| https://upload.bullethost[.]cloud/download/68f5503834645ddd64ba3e17 | Download link for encrypted ZIP file containing Vidar second-stage payload |
| https://upload.bullethost[.]cloud/download/68f775f734645ddd64ba99f4 | Download link for encrypted ZIP file containing Vidar second-stage payload |
| https://upload.bullethost[.]cloud/download/68f77d1134645ddd64ba9a5e | Download link for encrypted ZIP file containing Vidar second-stage payload |
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
 laced with downloader malware.){kind=link}