Malicious NPM Packages Targeting PayPal Users
Summary:
FortiGuard Labs has identified a wave of malicious NPM packages created by a threat actor operating under the aliases tommyboy_h1 and tommyboy_h2. These packages were published between March 5 and March 14, 2025, and are part of a targeted campaign aimed at harvesting sensitive information from compromised systems—primarily focusing on PayPal users. The attacker used deceptive naming conventions, incorporating terms like “paypal” in package names to exploit developer trust and evade initial scrutiny. This social engineering tactic helps make the packages appear legitimate and relevant to financial or authentication services, increasing the likelihood of being unknowingly downloaded and integrated into projects.
The core malicious activity is triggered via a preinstall hook, a script that runs automatically during the installation of the package before the user or security tools typically engage. This script collects a variety of system details such as the current username, hostname, and working directory. To evade detection, the attacker obfuscates the exfiltrated data by encoding it in hexadecimal format and manipulating directory paths to appear innocuous. Once processed, the information is sent to an external, attacker-controlled server through a dynamically generated URL, which further complicates detection and blocking by traditional security solutions.
FortiGuard Labs' investigation revealed that the malicious code embedded in one package was reused nearly identically across others, indicating a streamlined deployment method and likely automation in publishing. The author managed to push out numerous malicious packages in a very short timeframe, suggesting a coordinated effort to saturate the ecosystem before detection. Screenshots of the packages and code confirm the consistency of the payload across variants. The packages are not only designed to steal system data but also to enable potential follow-up attacks by gathering environmental intelligence about the victim systems, which could be used to exploit PayPal credentials or sold on underground forums.
Security Officer Comments:
The threat is particularly concerning because it leverages supply chain attack vectors through open-source ecosystems, a growing trend among cybercriminals. These types of attacks can have widespread impacts, especially if the malicious packages are unknowingly incorporated into software products used by businesses or consumers. FortiGuard advises all developers and organizations to scrutinize any packages with financial-related naming conventions, particularly those recently published with few downloads or reviews. Signs of compromise may include unexpected outbound network connections, unexplained behavior during NPM installs, or unusual file system access patterns.
Suggested Corrections:
As a mitigation measure, affected users should immediately remove suspicious packages, change any potentially compromised credentials—especially those related to PayPal or financial accounts—and conduct thorough scans to detect any residual threats. Organizations should also implement strict internal policies for dependency management, utilize lockfiles to prevent automatic updates to unverified packages, and maintain updated threat detection tools capable of flagging obfuscated scripts and network anomalies. This incident underscores the critical importance of maintaining software supply chain hygiene and exercising caution with seemingly trusted open-source libraries.
Link(s):
https://www.fortinet.com/blog/threat-research/malicious-npm-packages-targeting-paypal-users
FortiGuard Labs has identified a wave of malicious NPM packages created by a threat actor operating under the aliases tommyboy_h1 and tommyboy_h2. These packages were published between March 5 and March 14, 2025, and are part of a targeted campaign aimed at harvesting sensitive information from compromised systems—primarily focusing on PayPal users. The attacker used deceptive naming conventions, incorporating terms like “paypal” in package names to exploit developer trust and evade initial scrutiny. This social engineering tactic helps make the packages appear legitimate and relevant to financial or authentication services, increasing the likelihood of being unknowingly downloaded and integrated into projects.
The core malicious activity is triggered via a preinstall hook, a script that runs automatically during the installation of the package before the user or security tools typically engage. This script collects a variety of system details such as the current username, hostname, and working directory. To evade detection, the attacker obfuscates the exfiltrated data by encoding it in hexadecimal format and manipulating directory paths to appear innocuous. Once processed, the information is sent to an external, attacker-controlled server through a dynamically generated URL, which further complicates detection and blocking by traditional security solutions.
FortiGuard Labs' investigation revealed that the malicious code embedded in one package was reused nearly identically across others, indicating a streamlined deployment method and likely automation in publishing. The author managed to push out numerous malicious packages in a very short timeframe, suggesting a coordinated effort to saturate the ecosystem before detection. Screenshots of the packages and code confirm the consistency of the payload across variants. The packages are not only designed to steal system data but also to enable potential follow-up attacks by gathering environmental intelligence about the victim systems, which could be used to exploit PayPal credentials or sold on underground forums.
Security Officer Comments:
The threat is particularly concerning because it leverages supply chain attack vectors through open-source ecosystems, a growing trend among cybercriminals. These types of attacks can have widespread impacts, especially if the malicious packages are unknowingly incorporated into software products used by businesses or consumers. FortiGuard advises all developers and organizations to scrutinize any packages with financial-related naming conventions, particularly those recently published with few downloads or reviews. Signs of compromise may include unexpected outbound network connections, unexplained behavior during NPM installs, or unusual file system access patterns.
Suggested Corrections:
As a mitigation measure, affected users should immediately remove suspicious packages, change any potentially compromised credentials—especially those related to PayPal or financial accounts—and conduct thorough scans to detect any residual threats. Organizations should also implement strict internal policies for dependency management, utilize lockfiles to prevent automatic updates to unverified packages, and maintain updated threat detection tools capable of flagging obfuscated scripts and network anomalies. This incident underscores the critical importance of maintaining software supply chain hygiene and exercising caution with seemingly trusted open-source libraries.
Link(s):
https://www.fortinet.com/blog/threat-research/malicious-npm-packages-targeting-paypal-users