Analysis Summary

A sophisticated supply-chain attack has surfaced targeting Windows systems through compromised npm packages, highlighting a severe vulnerability in open-source software distribution. Between October 21 and 26, 2025, threat actors published 17 malicious npm packages across 23 releases, all designed to deliver the Vidar infostealer malware. These packages mimicked legitimate tools, posing as Telegram bot helpers, icon libraries, and forks of popular projects like Cursor and React. The threat actors exploited the inherent trust developers place in public package registries, resulting in over 2,240 downloads before the malicious packages were removed. The attackers used two new npm accounts, aartje and saliii229911, to distribute the infected packages, representing a major evolution in Vidar’s delivery method shifting from traditional phishing-based infections to software supply-chain exploitation.

Researchers uncovered the campaign using their GuardDog static analyzer, which flagged suspicious patterns such as postinstall script execution and process spawning behaviors. These postinstall scripts served as the initial infection mechanism, automatically executing after developers installed the compromised packages. The scripts downloaded an encrypted archive from bullethost.cloud, containing bridle.exe a Go-compiled variant of the Vidar malware never before seen distributed through npm. Some variants even embedded PowerShell commands directly in package.json files, further obscuring detection. Once executed, Vidar began harvesting sensitive information including browser credentials, cookies, crypto wallets, and system files, exfiltrating the stolen data to command-and-control (C2) servers.

The attackers exhibited notable sophistication in operational security and evasion techniques. The Vidar malware leveraged hardcoded Telegram and Steam accounts to dynamically fetch active C2 domains, ensuring consistent connectivity even if one infrastructure node was taken down. The malware then executed self-deletion routines post-exfiltration, erasing evidence and complicating forensic investigations. The use of multiple C2 rotations, encryption, and dynamic domain retrieval demonstrated a deep understanding of anti-detection and persistence strategies within open-source ecosystems.

This campaign underscores the growing threat of supply-chain attacks in modern development environments. By infiltrating trusted repositories like npm, threat actors can achieve mass infection with minimal direct targeting. The incident marks one of the most consequential npm-based malware operations to date, affecting enterprise developers and independent programmers alike. It also reinforces the urgent need for enhanced code auditing, dependency validation, and real-time package behavior monitoring. Security teams are urged to adopt Zero Trust principles, enforce software composition analysis, and implement automated detection tools to safeguard against similar future attacks targeting the global software supply chain.

Impact

• Sensitive Information Theft
• Crypto Theft
• Gain Access

Indicators of Compromise

Domain Name

• a.t.rizbegadget.shop

• ftp.nadimgadget.shop

• gra.khabeir.com

• p.x.rizbegadget.shop

• t.y.server24x.com

MD5

• d065c28a5273b809c6220bfe19a4868d

SHA-256

• aa49d14ddd6c0c24febab8dce52ce3835eb1c9280738978da70b1eae0d718925

SHA-1

• 39cfc6f65c89cddc9504c06fe6fcaa08e6b9fd39

Remediation

• Isolate any build systems or developer machines that installed the suspect packages and disconnect from network if active compromise is suspected.
• Revoke/rotate any credentials, API keys, or secrets that may have been present on compromised hosts or in repositories.
• Block known malicious infrastructure (e.g., bullethost.cloud and identified C2 domains) at the firewall and in DNS filtering.
• Preserve logs (build logs, npm install output, system event logs, EDR snapshots) for forensic investigation before remediation steps that alter systems.
• Audit package.json and lockfiles for unexpected postinstall scripts or unusual lifecycle scripts; remove or replace any packages with suspicious scripts.
• Pin dependency versions in lockfiles (package-lock.json / yarn.lock) and avoid automatic updates from untrusted registries.
• Use npm ci with verified lockfiles in CI to prevent installing packages not in the lockfile.
• Run npm installs inside ephemeral sandboxed containers or CI runners that have no access to production credentials or secrets.
• Remove/replace any packages published by suspicious accounts (aartje, saliii229911) and update code to use vetted alternatives.
• Apply Software Composition Analysis (SCA) and dependency-scanning tools in CI to flag packages with lifecycle scripts, network calls, or postinstall activity.