Cybersecurity researchers from JFrog Security Research have identified eight malicious NPM packages aimed at compromising Google Chrome users on Windows systems. The discovery sheds light on the rising threat of software supply chain attacks, where malicious actors infiltrate widely used open-source components to reach thousands of unsuspecting users.
According to JFrog, the attackers embedded malicious code in the packages using an unusually advanced tactic: 70 layers of code obfuscation. This made detection nearly impossible, even for experienced developers or automated scanners.
Final Call: Be DPDP Act Ready with FCRF’s Certified Data Protection Officer Program
Hidden Mechanisms and Data Theft
The attack was notable not only for its stealth but also for its sophistication. Once downloaded, the packages automatically installed a specific version of Python without user approval. A hidden script then executed, enabling the theft of sensitive data from Chrome browsers.
Stolen information included passwords, credit card details, cryptocurrency wallets, and cookies—valuable assets that could be exploited for financial gain or identity theft. Researchers traced the packages to two NPM accounts under the names “ruer” and “npjun.”
The Wider Risk to Developers
Supply chain attacks have increasingly become a weapon of choice for cybercriminals. By exploiting open-source repositories, attackers can spread malicious software at scale, often by creating lookalike packages with names similar to trusted libraries. This practice, known as typosquatting, has caught many developers off guard.
Experts warn that the growing dependency on open-source tools, while fostering innovation, also creates vulnerabilities when oversight is weak or absent.
Response and Expert Warnings
JFrog confirmed that all eight malicious packages have been reported and removed from the NPM repository. Still, security researchers caution that this case underscores the need for stricter defenses.
Guy Korolevski, one of JFrog’s lead researchers, stressed the importance of visibility across the software supply chain. “The impact of sophisticated multi-layer campaigns designed to evade traditional security and steal sensitive data highlights the need for rigorous automated scanning and a single source of truth for all software components,” he said.
The incident stands as a reminder that the open-source ecosystem, while essential, remains a prime target for increasingly sophisticated cybercriminal campaigns.