The ongoing issue of malicious uploads to open-source repositories continues to erode developer confidence and pose significant risks for organizations relying on community-driven code. For software teams, the challenge isn’t just identifying trusted sources — it’s ensuring that every dependency in their supply chain remains uncompromised. With millions of packages being downloaded daily, even a brief exposure to a compromised library can have far-reaching consequences.
In the latest case, Datadog Security researchers uncovered 17 malicious packages — spanning 23 releases — uploaded to the popular npm repository. These packages were found to contain downloader malware targeting Windows systems, activated through a postinstall script upon package installation. Once executed, the code initiated the download and deployment of additional payloads designed to compromise the victim’s system.
What made these packages particularly deceptive was their camouflage as legitimate open-source tools. They appeared to be Telegram bot helpers, icon libraries, or even forks of well-known projects like Cursor and React. While they offered some genuine functionality, their hidden purpose was to deliver the Vidar infostealer, a malware strain known for stealing credentials, browser data, and cryptocurrency wallet information. According to Datadog, this marks the first publicly documented case of Vidar being distributed through npm packages — a troubling development for the broader software supply chain.
Following the discovery, npm banned the two accounts responsible — “aartje” and “saliii229911” — but not before the malicious code remained in the registry for roughly two weeks. During that time, the infected packages were downloaded more than 2,200 times, though researchers suspect most of those were by automated systems or scrapers rather than active developers. Still, the incident highlights how quickly malware can spread in open ecosystems and reinforces the need for stricter package vetting, automated dependency scanning, and heightened vigilance across the open-source community.