{"id":3237,"date":"2025-04-12T10:00:46","date_gmt":"2025-04-12T10:00:46","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/04\/12\/beware-developers-malicious-npm-packages-targeting-paypal-users-to-steal-sensitive-data\/"},"modified":"2025-04-12T10:00:46","modified_gmt":"2025-04-12T10:00:46","slug":"beware-developers-malicious-npm-packages-targeting-paypal-users-to-steal-sensitive-data","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/04\/12\/beware-developers-malicious-npm-packages-targeting-paypal-users-to-steal-sensitive-data\/","title":{"rendered":"Beware Developers! Malicious NPM Packages Targeting PayPal Users to Steal Sensitive Data"},"content":{"rendered":"

Beware Developers! Malicious NPM Packages Targeting PayPal Users to Steal Sensitive Data
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

FortiGuard Labs, Fortinet\u2019s AI-driven threat intelligence arm, has uncovered a series of malicious NPM packages<\/a> designed to steal sensitive information from developers and target PayPal users. <\/p>\n

Detected between March 5 and March 14, 2025, these packages were published by a threat actor using the aliases \u201ctommyboy_h1\u201d and \u201ctommyboy_h2,\u201d believed to be the same individual.<\/p>\n

\"\"<\/figure>\n
\"\"
The published packages of the author of \u201ctommyboy_h2.\u201d
<\/figcaption><\/figure>\n

The malicious packages, including names like oauth2-paypal<\/em> and buttonfactoryserv-paypal<\/em>, exploit PayPal\u2019s trusted brand to deceive developers into installing them. <\/p>\n

By mimicking legitimate PayPal-related functionality, the packages create a false sense of legitimacy, increasing their chances of evading detection. <\/p>\n

Once installed, they deploy a preinstall hook that automatically runs a malicious script, collecting system data such as usernames, hostnames, and directory paths without user awareness.<\/p>\n

FortiGuard Labs\u2019 analysis<\/a> reveals that the script encodes stolen data into hexadecimal format, obfuscates it by splitting and truncating directory paths, and sends it to attacker-controlled servers via dynamically generated URLs. <\/p>\n

This obfuscation makes it difficult for security tools to detect or block the exfiltration. The harvested information could be used to compromise PayPal accounts, fuel further attacks, or be sold on the dark web.<\/p>\n

Key Findings<\/strong><\/h2>\n

The campaign\u2019s scale is notable, with the threat actor publishing numerous packages in a short timeframe. Examples include oauth2-paypal v699.0.0<\/em>, buttonfactoryserv-paypal v3.50.0<\/em>, and tommyboytesting<\/em> variants, all exhibiting identical malicious code. <\/p>\n

The packages target small to medium-sized businesses and developers, exploiting the open-source ecosystem\u2019s trust model.<\/p>\n

FortiGuard AntiVirus has flagged the malicious files as Bash\/TommyBoy.A!tr<\/em>, covering packages like:<\/p>\n

    \n
  • bankingbundleserv_1.20.0<\/em><\/li>\n
  • \nbuttonfactoryserv-paypal_3.50.0<\/em> and 3.99.0<\/em>\n<\/li>\n
  • \noauth2-paypal<\/em> (multiple versions, e.g., 0.6.0, 699.0.0)<\/li>\n
  • compliancereadserv-paypal_2.1.0<\/em><\/li>\n<\/ul>\n

    The authors of\u00a0tommyboy_h1\u00a0and\u00a0tommyboy_h2\u00a0are likely the same person, publishing multiple malicious packages in a short time. We suspect that the same author created these packages to target\u00a0PayPal\u00a0users, Fortinet said..<\/p>\n

    FortiGuard Labs urges organizations and developers to:<\/p>\n

      \n
    • Verify NPM packages, avoiding those with suspicious names like \u201cpaypal\u201d (e.g., oauth2-paypal<\/em>).<\/li>\n
    • Monitor network logs for unexpected connections to unknown servers.<\/li>\n
    • Remove any detected malicious packages, change compromised credentials, and scan systems for additional threats.<\/li>\n
    • Ensure security software is updated to leverage Fortinet\u2019s latest protections.<\/li>\n<\/ul>\n

      Indicators of Compromise<\/strong><\/h2>\n
      \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
      File<\/td>\nHash (sha256)<\/td>\nDetection<\/td>\n<\/tr>\n
      bankingbundleserv_1.20.0<\/td>\n796deae716a6d66b49a99d00e541056babe34fd2fcbcea0380491de4b792afba<\/td>\nBash\/TommyBoy.A!tr<\/td>\n<\/tr>\n
      buttonfactoryserv-paypal_3.50.0<\/td>\n18e45358462363996688ceabfc098e17f855d73842f460b34c683e58c728149f<\/td>\nBash\/TommyBoy.A!tr<\/td>\n<\/tr>\n
      buttonfactoryserv-paypal_3.99.0<\/td>\n88bd580aa51129e4e5fa69e148131874c862015e7c51d59497e11f22db2d72c6<\/td>\nBash\/TommyBoy.A!tr<\/td>\n<\/tr>\n
      tommyboytesting_1.0.1<\/td>\n23664decf3c2f28a3f552dc98d90017926617969713ccccdc9f5fd3178d76dbf<\/td>\nBash\/TommyBoy.A!tr<\/td>\n<\/tr>\n
      tommyboytesting_1.0.2<\/td>\nba63fbf6f7bab000bc1b1bf92319415328cea238872450adbaac6a6069132779<\/td>\nBash\/TommyBoy.A!tr<\/td>\n<\/tr>\n
      tommyboytesting_1.0.5<\/td>\nf359b687fb9e1a4c27fdf5174380abc9877f940ef6a6fd4d38e9ef40bb778107<\/td>\nBash\/TommyBoy.A!tr<\/td>\n<\/tr>\n
      tommyboytesting_1.0.6<\/td>\n815ebfc4fb5bddf1f9ca1b12ae2a1b0e37736a93ea9babe858747096ad9ce671<\/td>\nBash\/TommyBoy.A!tr<\/td>\n<\/tr>\n
      tommyboytesting_1.0.7<\/td>\nd21ae84e104a305b5aebee8e6fbb4837976ef26935dac90372637f913ef58154<\/td>\nBash\/TommyBoy.A!tr<\/td>\n<\/tr>\n
      tommyboytesting_1.0.8<\/td>\n0c006540abcb768cad80a1a8ced926fa58f10cf9eb0be16c4185850df83bff82<\/td>\nBash\/TommyBoy.A!tr<\/td>\n<\/tr>\n
      tommyboytesting_1.0.9<\/td>\n847e684a228292dc905205d7353ed9458e10129105fe3b387c4e9374d6afd783<\/td>\nBash\/TommyBoy.A!tr<\/td>\n<\/tr>\n
      tommyboytesting_1.0.10<\/td>\ned6a350c4b1baa6f098293c328d0a62d35aafb4ab62b93e6f3a611f06be9aa29<\/td>\nBash\/TommyBoy.A!tr<\/td>\n<\/tr>\n
      tommyboytesting_1.0.11<\/td>\n123480357ab54d2c2067640105b5683445777ae1d20fd52551a5df9327692103<\/td>\nBash\/TommyBoy.A!tr<\/td>\n<\/tr>\n
      tommyboytesting_1.0.12<\/td>\n3710742057e470e8882a84412721ed19652e3f13977af21a937bad27d75b6f96<\/td>\nBash\/TommyBoy.A!tr<\/td>\n<\/tr>\n
      compliancereadserv-paypal_2.1.0<\/td>\ndd1a177126d48072381db98af74c964100c8ef2e43286f3a31114461251a164c<\/td>\nBash\/TommyBoy.A!tr<\/td>\n<\/tr>\n
      oauth2-paypal_0.6.0<\/td>\n0d8c5bb69c567e3949cc6e087610d79c886d9140d0eda88cc92d3ec63fb7a3b9<\/td>\nBash\/TommyBoy.A!tr<\/td>\n<\/tr>\n
      oauth2-paypal_1.6.0<\/td>\nb6bc001bc9b4171a27fb2a485cb3e3d8f23bc1ee6b4a03bbcfbba63b7d208477<\/td>\nBash\/TommyBoy.A!tr<\/td>\n<\/tr>\n
      oauth2-paypal_2.6.0<\/td>\n2c7bf841a659fa1d8105d26f6664ebc3a78b99e0c071eb7f529503346c40f778<\/td>\nBash\/TommyBoy.A!tr<\/td>\n<\/tr>\n
      oauth2-paypal_4.8.0<\/td>\ncbbe1d5a7d4a721c61b9c3b8b6a8e5d65508f02c70e708698d8165d92e154383<\/td>\nBash\/TommyBoy.A!tr<\/td>\n<\/tr>\n
      oauth2-paypal_7.5.0<\/td>\n25034c2542757ac93cb6008479a5bfc594f9e92f66249f6fb862447a18847ba7<\/td>\nBash\/TommyBoy.A!tr<\/td>\n<\/tr>\n
      oauth2-paypal_10.0.0<\/td>\n148d3552db2acf469c84e26889336f06167c6cf455248e08d703282bc0556fb8<\/td>\nBash\/TommyBoy.A!tr<\/td>\n<\/tr>\n
      oauth2-paypal_699.0.0<\/td>\n7186674c208242b8e6fdf7b0f4e7539218590618fee517aa264e8446247d3440<\/td>\nBash\/TommyBoy.A!tr<\/td>\n<\/tr>\n
      Paymentapiplatformservice-paypal_1.20.0<\/td>\n7a48db17a02e94c97a329cc1a578777d8b4fb74221bdb22202369d6590917fd0<\/td>\nBash\/TommyBoy.A!tr<\/td>\n<\/tr>\n
      Userbridge-paypal_1.20.0<\/td>\n7a48db17a02e94c97a329cc1a578777d8b4fb74221bdb22202369d6590917fd0<\/td>\nBash\/TommyBoy.A!tr<\/td>\n<\/tr>\n
      userrelationship-paypal_1.20.0<\/td>\nca7dc2b0856f89e71ce9da6f179b34c8879456b5dffda0b5bd3f0fd73bab1c50<\/td>\nBash\/TommyBoy.A!tr<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

      Find this News Interesting! Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>, &\u00a0X<\/a>\u00a0to Get Instant Security News Updates!<\/strong><\/strong><\/p>\n

      Also Read:<\/strong><\/h3>\n
      \n
      \n

      Sapphire Werewolf Enhances Toolkit With New Amethyst Stealer to Attack Energy Companies<\/a><\/p><\/blockquote>\n