Post

Malicious NPM Packages Target PayPal Users: A Comprehensive Analysis

Discover how threat actors are exploiting NPM packages to steal PayPal credentials and hijack cryptocurrency transfers. Learn about the latest findings and security recommendations from Fortinet researchers.

Posted
By Vitus White
1 min read
Malicious NPM Packages Target PayPal Users: A Comprehensive Analysis

TL;DR

  • Threat actors are using malicious NPM packages to target PayPal users and steal credentials.
  • The packages use deceptive names to avoid detection and exfiltrate system data.
  • Security experts recommend vigilance and caution when installing packages.

Malicious NPM Packages Targeting PayPal Users

Threat actors have deployed malicious NPM packages to steal PayPal credentials and hijack cryptocurrency transfers, according to Fortinet researchers1. These packages, uploaded in early March by threat actors known as tommyboy_h1 and tommyboy_h2, exploit the trust of developers by using PayPal-related names.

Deceptive Tactics and Data Exfiltration

The malicious packages use names like oauth2-paypal and buttonfactoryserv-paypal to create a false sense of legitimacy. This tactic makes it easier for attackers to steal sensitive information. The code within these packages collects and exfiltrates system data, such as usernames and directory paths, which can be used to target PayPal accounts or sold for fraudulent purposes1.

Technical Details of the Attack

These malicious NPM packages utilize a preinstall hook to run hidden scripts, steal system information, obfuscate data, and exfiltrate it to attacker-controlled servers. This method allows for future attacks and further compromises.

Malicious NPM Packages

Security Recommendations

Fortinet researchers advise the following precautions:

  • Watch for fake PayPal-related packages.
  • Check network logs for unusual connections.
  • Remove any detected threats.
  • Update credentials regularly.
  • Exercise caution when installing packages from untrusted sources.

Attribution and Further Analysis

The analysis suggests that the same attacker likely created both tommyboy_h1 and tommyboy_h2 packages. The report concludes that these packages were specifically designed to target PayPal users, urging the public to be vigilant when downloading packages1.

Conclusion

The discovery of these malicious NPM packages underscores the importance of vigilance in the cybersecurity landscape. As threat actors continue to evolve their tactics, staying informed and cautious is crucial for protecting sensitive information.

Additional Resources

For further insights, check:

References

  1. Fortinet (2025). “Malicious NPM packages targeting PayPal users”. Fortinet Blog. Retrieved 2025-04-14. ↩︎ ↩︎2 ↩︎3

Cybersecurity & Data Protection, Malware
cybersecurity malware paypal
This post is licensed under CC BY 4.0 by the author.