By Jenna Wang | April 11, 2025
FortiGuard Labs’ AI-driven OSS malware detection system has recently discovered a series of malicious NPM packages designed to steal sensitive information from compromised systems. These packages are believed to have been created between March 5 and March 14 by a threat actor known as tommyboy_h1 and tommyboy_h2 to target PayPal users.
PayPal is a widely used platform holding sensitive financial information. Using PayPal-related names helps these malicious packages avoid detection, making it easier for attackers to steal sensitive information. By including "PayPal" in the name of the malicious packages, such as oauth2-paypal and buttonfactoryserv-paypal, the attackers also create a false sense of legitimacy, tricking developers into installing them. The code collects and exfiltrates system data, such as usernames and directory paths, which can then be used to target PayPal accounts or be sold for fraudulent purposes.
The code has very similar characteristics, aiming to steal sensitive information and send it to remote servers. Users would lose their private info without knowing it.
