.png
)
Introduction
FortiGuard Labs, the AI-driven threat intelligence division of Fortinet, has recently unveiled a distressing series of npm packages engineered to siphon confidential information from unsuspecting developers and PayPal users.
These nefarious packages were deployed between March 5 and March 14, 2025, by an individual or group operating under aliases such as tommyboy_h1 and tommyboy_h2. An in-depth investigation suggests that these aliases may be operated by a single entity.
The Threat Unveiled
The core of the scam lies in the packages’ names, such as oauth2-paypal and buttonfactoryserv-paypal, crafted to leverage PayPal’s trusted reputation. This deceit not only aids in their installation but helps them stay under the radar, posing as legitimate tools.
Once these packages are unwittingly installed, they execute a malicious script through a pre-installation hook, secretly harvesting critical system data from usernames to system paths—all without the user’s immediate knowledge.
This expert analysis by FortiGuard Labs shares that post-extraction, the data undergoes encryption and obfuscation, significantly hampering detection efforts by security software. This stolen data has potential uses ranging from direct financial theft to broader cybercriminal activities.
Comprehensive Findings
The quick succession in which these harmful packages were published points to a well-orchestrated operation by the threat actor(s). These packages are particularly dangerous for small to medium-sized businesses, exploiting the inherent trust within the open-source community.
- oauth2-paypal v699.0.0
- buttonfactoryserv-paypal v3.50.0 and v3.99.0
- tommyboytesting variants – All embedded with identical malicious code.
Fortinet’s advanced machine learning algorithms have successfully recognized and flagged these malicious entities, thereby offering the latest protections against them.
Actionable Guidelines
To fend off such advanced threats, FortiGuard Labs advocates the following proactive measures:
- Exercise caution and perform due diligence before incorporating any third-party npm packages, especially those that are seemingly PayPal related.
- Keep a vigilant watch over network activity, especially noting unforeseen requests or data transmissions to unrecognized servers.
- Immediate eradication of any malicious packages detected, coupled with comprehensive security checks to prevent further infiltration.
- Stay updated with the latest security patches and updates from trusted cybersecurity providers like Fortinet.
Indicators of Compromise
Below is a detailed list of compromised items—along with their unique identifiers—which should be flagged for security risks:
| File | Hash (sha256) | Detection |
|---|---|---|
| buttonfactoryserv-paypal_3.50.0 | 18e45358462363996688ceabfc098e17f855d73842f460b34c683e58c728149f | Bash/TommyBoy.A!tr |
Stay ahead of cyber threats by following us on Google News, LinkedIn, and X.
Related: Sophisticated Microsoft Teams Phishing Attack Unveils Innovative Malware Technique
Last Updated: April 12, 2025
