The FortiGuard Labs has identified malicious NPM packages created to steal sensitive information from PayPal users. These packages, linked to a threat actor named tommyboy_h1 and tommyboy_h2, exploit PayPal-related names to bypass detection and collect data from compromised systems. Users are urged to be cautious with package downloads and to monitor for signs of compromise. Affected: PayPal users, developers
Keypoints :
- FortiGuard Labs discovered malicious NPM packages targeting PayPal users.
- The threat actors are identified as tommyboy_h1 and tommyboy_h2.
- Malicious packages use “PayPal” in their names to avoid detection.
- An automatic script runs through a preinstall hook, collecting sensitive system data.
- This data is obfuscated and sent to attacker-controlled servers.
- Multiple malicious packages were published in a short time frame.
- Users should look for unusual package names and unexpected network connections.
- FortiGuard protections are in place to detect and block these threats.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: The malicious script exploits the Application Layer to exfiltrate sensitive data to remote servers.
- T1049 – System Network Connections Discovery: Collects data related to network connections and sends it to an external server.
- T1029 – Scheduled Task/Job: The script uses a preinstall hook to execute automatically before package installation.
Indicator of Compromise :
- [File] bankingbundleserv_1.20.0
- [File] buttonfactoryserv-paypal_3.50.0
- [File] buttonfactoryserv-paypal_3.99.0
- [File] tommyboytesting_1.0.1
- [File] oauth2-paypal_0.6.0
Views: 24