FortiGuard Labs’ AI-driven OSS malware detection system has recently discovered a series of malicious NPM packages designed to steal sensitive information from compromised systems. These packages are believed to have been created between March 5 and March 14 by a threat actor known as tommyboy_h1 and tommyboy_h2 to target PayPal users.

PayPal is a widely used platform holding sensitive financial information. Using PayPal-related names helps these malicious packages avoid detection, making it easier for attackers to steal sensitive information. By including "PayPal" in the name of the malicious packages, such as oauth2-paypal and buttonfactoryserv-paypal, the attackers also create a false sense of legitimacy, tricking developers into installing them. The code collects and exfiltrates system data, such as usernames and directory paths, which can then be used to target PayPal accounts or be sold for fraudulent purposes.

Conclusion

These attacks function by using a "preinstall hook" in malicious NPM packages, automatically running a script when the package is installed. This script collects system information, like the user, hostname, and directory paths, and then sends it to an attacker-controlled server. To spot a compromise, look for unusual NPM packages with names like "paypal" (e.g., oauth2-paypal or buttonfactoryserv-paypal). Other signs include unexpected network connections to unknown servers, so also check your network logs for any suspicious activity. If you find any suspicious packages, remove them, change compromised credentials, and scan your system for further threats. Make sure your security software is up to date to detect such issues.

The authors of tommyboy_h1 and tommyboy_h2 are likely the same person, publishing multiple malicious packages in a short time. We suspect that the same author created these packages to target PayPal users. We urge the public to be cautious when downloading packages and to ensure they are from trusted sources to avoid falling victim to such attacks.

Fortinet Protections

FortiGuard AntiVirus detects the malicious files identified in this report as:

bankingbundleserv_1.20.0: Bash/TommyBoy.A!tr
buttonfactoryserv-paypal_3.50.0: Bash/TommyBoy.A!tr
buttonfactoryserv-paypal_3.99.0:Bash/TommyBoy.A!tr
tommyboytesting_1.0.1:Bash/TommyBoy.A!tr
tommyboytesting_1.0.2:Bash/TommyBoy.A!tr
tommyboytesting_1.0.5:Bash/TommyBoy.A!tr
tommyboytesting_1.0.6:Bash/TommyBoy.A!tr
tommyboytesting_1.0.7:Bash/TommyBoy.A!tr
tommyboytesting_1.0.8:Bash/TommyBoy.A!tr
tommyboytesting_1.0.9:Bash/TommyBoy.A!tr
tommyboytesting_1.0.10:Bash/TommyBoy.A!tr
tommyboytesting_1.0.11:Bash/TommyBoy.A!tr
tommyboytesting_1.0.12:Bash/TommyBoy.A!tr
compliancereadserv-paypal_2.1.0:Bash/TommyBoy.A!tr
oauth2-paypal_0.6.0:Bash/TommyBoy.A!tr
oauth2-paypal_1.6.0:Bash/TommyBoy.A!tr
oauth2-paypal_2.6.0:Bash/TommyBoy.A!tr
oauth2-paypal_4.8.0:Bash/TommyBoy.A!tr
oauth2-paypal_7.5.0:Bash/TommyBoy.A!tr
oauth2-paypal_10.0.0:Bash/TommyBoy.A!tr
oauth2-paypal_699.0.0:Bash/TommyBoy.A!tr
Paymentapiplatformservice-paypal_1.20.0:Bash/TommyBoy.A!tr
Userbridge-paypal_1.20.0:Bash/TommyBoy.A!tr
userrelationship-paypal_1.20.0:Bash/TommyBoy.A!tr

The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Customers running current AntiVirus updates are protected.

The FortiGuard Web Filtering Service detects and blocks the download URLs cited in this report as Malicious.

The FortiDevSec SCA scanner detects malicious packages, including those cited in this report that may operate as dependencies in users' projects in test phases, and prevents those dependencies from being introduced into users' products.

If you believe these or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs