(520) 462-0516

info@threatintel-solutions.net

Threat Intel Solutions

Let’s Talk

Beware Developers! Malicious NPM Packages Targeting PayPal Users to Steal Sensitive Data

FortiGuard Labs, Fortinet’s AI-driven threat intelligence arm, has uncovered a series of [malicious NPM packages](https://cybersecuritynews.com/lazarus-adds-new-malicious-npm-packages/) designed to steal sensitive information from developers and target PayPal users.Detected between March 5 and March 14, 2025, these packages were published by a threat actor using the aliases ‘tommyboy_h1’ and ‘tommyboy_h2,’ believed to be the same individual.![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrE__EdS4FNULNoDLkKAGODYoKUemrMVBxmmppSojowFw4jXqwUU7Yu3-aZlcaBdTddcmlZyWL8VwJe9mXhPcFFJTpfvKlbKfaRniEv3XZkXnRJSREitXIAObxuRItIf-z0ZASeOWMaMjhIsIsY_jaNqx-O6tYokCNe3WxGEhDKfYPEKdOM5IEFa7ZMko3/s16000/ta.jpeg) ![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLmvQQNCqm7ydq4LAI4RoxL4nqxiZxWJvydy76xqH6ehDc8hhGQLr_jY4LB3LlH_DLvPpgx03ms1EL5YLNLTxcFrXK2U3CkDVIE9_KQpPD8aDLMLCqTuBI7NjC5lfeogzdDzwwSyC3K2rEQGOI37dWM0EUQb6-IK6okRb5UQPV2g9kWPLk83lByL-z1uJp/s16000/fig02-malicious-npm-paypal.jpeg) The published packages of the author of ‘tommyboy_h2.’ The malicious packages, including names like *oauth2-paypal* and *buttonfactoryserv-paypal*, exploit PayPal’s trusted brand to deceive developers into installing them.By mimicking legitimate PayPal-related functionality, the packages create a false sense of legitimacy, increasing their chances of evading detection.Once installed, they deploy a preinstall hook that automatically runs a malicious script, collecting system data such as usernames, hostnames, and directory paths without user awareness.[FortiGuard Labs’ analysis](https://www.fortinet.com/blog/threat-research/malicious-npm-packages-targeting-paypal-users) reveals that the script encodes stolen data into hexadecimal format, obfuscates it by splitting and truncating directory paths, and sends it to attacker-controlled servers via dynamically generated URLs.This obfuscation makes it difficult for security tools to detect or block the exfiltration. The harvested information could be used to compromise PayPal accounts, fuel further attacks, or be sold on the dark web.**Key Findings**—————-The campaign’s scale is notable, with the threat actor publishing numerous packages in a short timeframe. Examples include *oauth2-paypal v699.0.0* , *buttonfactoryserv-paypal v3.50.0* , and *tommyboytesting* variants, all exhibiting identical malicious code.The packages target small to medium-sized businesses and developers, exploiting the open-source ecosystem’s trust model.FortiGuard AntiVirus has flagged the malicious files as *Bash/TommyBoy.A!tr*, covering packages like:* *bankingbundleserv_1.20.0** *buttonfactoryserv-paypal_3.50.0* and *3.99.0** *oauth2-paypal* (multiple versions, e.g., 0.6.0, 699.0.0)* *compliancereadserv-paypal_2.1.0*The authors of tommyboy_h1 and tommyboy_h2 are likely the same person, publishing multiple malicious packages in a short time. We suspect that the same author created these packages to target PayPal users, Fortinet said..FortiGuard Labs urges organizations and developers to:* Verify NPM packages, avoiding those with suspicious names like ‘paypal’ (e.g., *oauth2-paypal*).* Monitor network logs for unexpected connections to unknown servers.* Remove any detected malicious packages, change compromised credentials, and scan systems for additional threats.* Ensure security software is updated to leverage Fortinet’s latest protections.**Indicators of Compromise**—————————-File Hash (sha256) Detection bankingbundleserv_1.20.0 796deae716a6d66b49a99d00e541056babe34fd2fcbcea0380491de4b792afba Bash/TommyBoy.A!tr buttonfactoryserv-paypal_3.50.0 18e45358462363996688ceabfc098e17f855d73842f460b34c683e58c728149f Bash/TommyBoy.A!tr buttonfactoryserv-paypal_3.99.0 88bd580aa51129e4e5fa69e148131874c862015e7c51d59497e11f22db2d72c6 Bash/TommyBoy.A!tr tommyboytesting_1.0.1 23664decf3c2f28a3f552dc98d90017926617969713ccccdc9f5fd3178d76dbf Bash/TommyBoy.A!tr tommyboytesting_1.0.2 ba63fbf6f7bab000bc1b1bf92319415328cea238872450adbaac6a6069132779 Bash/TommyBoy.A!tr tommyboytesting_1.0.5 f359b687fb9e1a4c27fdf5174380abc9877f940ef6a6fd4d38e9ef40bb778107 Bash/TommyBoy.A!tr tommyboytesting_1.0.6 815ebfc4fb5bddf1f9ca1b12ae2a1b0e37736a93ea9babe858747096ad9ce671 Bash/TommyBoy.A!tr tommyboytesting_1.0.7 d21ae84e104a305b5aebee8e6fbb4837976ef26935dac90372637f913ef58154 Bash/TommyBoy.A!tr tommyboytesting_1.0.8 0c006540abcb768cad80a1a8ced926fa58f10cf9eb0be16c4185850df83bff82 Bash/TommyBoy.A!tr tommyboytesting_1.0.9 847e684a228292dc905205d7353ed9458e10129105fe3b387c4e9374d6afd783 Bash/TommyBoy.A!tr tommyboytesting_1.0.10 ed6a350c4b1baa6f098293c328d0a62d35aafb4ab62b93e6f3a611f06be9aa29 Bash/TommyBoy.A!tr tommyboytesting_1.0.11 123480357ab54d2c2067640105b5683445777ae1d20fd52551a5df9327692103 Bash/TommyBoy.A!tr tommyboytesting_1.0.12 3710742057e470e8882a84412721ed19652e3f13977af21a937bad27d75b6f96 Bash/TommyBoy.A!tr compliancereadserv-paypal_2.1.0 dd1a177126d48072381db98af74c964100c8ef2e43286f3a31114461251a164c Bash/TommyBoy.A!tr oauth2-paypal_0.6.0 0d8c5bb69c567e3949cc6e087610d79c886d9140d0eda88cc92d3ec63fb7a3b9 Bash/TommyBoy.A!tr oauth2-paypal_1.6.0 b6bc001bc9b4171a27fb2a485cb3e3d8f23bc1ee6b4a03bbcfbba63b7d208477 Bash/TommyBoy.A!tr oauth2-paypal_2.6.0 2c7bf841a659fa1d8105d26f6664ebc3a78b99e0c071eb7f529503346c40f778 Bash/TommyBoy.A!tr oauth2-paypal_4.8.0 cbbe1d5a7d4a721c61b9c3b8b6a8e5d65508f02c70e708698d8165d92e154383 Bash/TommyBoy.A!tr oauth2-paypal_7.5.0 25034c2542757ac93cb6008479a5bfc594f9e92f66249f6fb862447a18847ba7 Bash/TommyBoy.A!tr oauth2-paypal_10.0.0 148d3552db2acf469c84e26889336f06167c6cf455248e08d703282bc0556fb8 Bash/TommyBoy.A!tr oauth2-paypal_699.0.0 7186674c208242b8e6fdf7b0f4e7539218590618fee517aa264e8446247d3440 Bash/TommyBoy.A!tr Paymentapiplatformservice-paypal_1.20.0 7a48db17a02e94c97a329cc1a578777d8b4fb74221bdb22202369d6590917fd0 Bash/TommyBoy.A!tr Userbridge-paypal_1.20.0 7a48db17a02e94c97a329cc1a578777d8b4fb74221bdb22202369d6590917fd0 Bash/TommyBoy.A!tr userrelationship-paypal_1.20.0 ca7dc2b0856f89e71ce9da6f179b34c8879456b5dffda0b5bd3f0fd73bab1c50 Bash/TommyBoy.A!tr****Find this News Interesting! Follow us on [Google News](https://news.google.com/publications/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&gl=IN&ceid=IN:en), [LinkedIn](https://www.linkedin.com/company/cybersecurity-news/), -& [X](https://x.com/The_Cyber_News) to Get Instant Security News Updates!****### **Also Read:**> [Sapphire Werewolf Enhances Toolkit With New Amethyst Stealer to Attack Energy Companies](https://cybersecuritynews.com/sapphire-werewolf-enhances-toolkit-with-new-amethyst-stealer/)The post [Beware Developers! Malicious NPM Packages Targeting PayPal Users to Steal Sensitive Data](https://cybersecuritynews.com/malicious-npm-packages-targeting-paypal-users-to-steal-sensitive-data/) appeared first on [Cyber Security News](https://cybersecuritynews.com).

Related Tags:
NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 52 – Finance And Insurance

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 522 – Credit Intermediation And Related Activities

NAICS: 51 – Information

TA0010 – Exfiltration

Blog: Cybersecurity News

Compromise Accounts

Software Discovery: Security Software Discovery

Associated Indicators:
25034C2542757AC93CB6008479A5BFC594F9E92F66249F6FB862447A18847BA7

CA7DC2B0856F89E71CE9DA6F179B34C8879456B5DFFDA0B5BD3F0FD73BAB1C50

7186674C208242B8E6FDF7B0F4E7539218590618FEE517AA264E8446247D3440

148D3552DB2ACF469C84E26889336F06167C6CF455248E08D703282BC0556FB8

7A48DB17A02E94C97A329CC1A578777D8B4FB74221BDB22202369D6590917FD0

123480357AB54D2C2067640105B5683445777AE1D20FD52551A5DF9327692103

0D8C5BB69C567E3949CC6E087610D79C886D9140D0EDA88CC92D3EC63FB7A3B9

3710742057E470E8882A84412721ED19652E3F13977AF21A937BAD27D75B6F96

2C7BF841A659FA1D8105D26F6664EBC3A78B99E0C071EB7F529503346C40F778

Search

Popular Posts

Categories

Pages

Archives

Tags

Follow Us