![[The AI Show Episode 143]: ChatGPT Revenue Surge, New AGI Timelines, Amazon’s AI Agent, Claude for Education, Model Context Protocol & LLMs Pass the Turing Test](https://www.marketingaiinstitute.com/hubfs/ep%20143%20cover.png)
![From Accountant to Data Engineer with Alyson La [Podcast #168]](https://cdn.hashnode.com/res/hashnode/image/upload/v1744420903260/fae4b593-d653-41eb-b70b-031591aa2f35.png?#)
.png?#)
![Apple Watch SE 2 On Sale for Just $169.97 [Deal]](https://www.iclarified.com/images/news/96996/96996/96996-640.jpg)
![Apple Posts Full First Episode of 'Your Friends & Neighbors' on YouTube [Video]](https://www.iclarified.com/images/news/96990/96990/96990-640.jpg)
Beware Developers! Malicious NPM Packages Targeting PayPal Users to Steal Sensitive Data
FortiGuard Labs, Fortinet’s AI-driven threat intelligence arm, has uncovered a series of malicious NPM packages designed to steal sensitive information from developers and target PayPal users. Detected between March 5 and March 14, 2025, these packages were published by a threat actor using the aliases “tommyboy_h1” and “tommyboy_h2,” believed to be the same individual. The […] The post Beware Developers! Malicious NPM Packages Targeting PayPal Users to Steal Sensitive Data appeared first on Cyber Security News.
FortiGuard Labs, Fortinet’s AI-driven threat intelligence arm, has uncovered a series of malicious NPM packages designed to steal sensitive information from developers and target PayPal users.
Detected between March 5 and March 14, 2025, these packages were published by a threat actor using the aliases “tommyboy_h1” and “tommyboy_h2,” believed to be the same individual.
The malicious packages, including names like oauth2-paypal and buttonfactoryserv-paypal, exploit PayPal’s trusted brand to deceive developers into installing them.
By mimicking legitimate PayPal-related functionality, the packages create a false sense of legitimacy, increasing their chances of evading detection.
Once installed, they deploy a preinstall hook that automatically runs a malicious script, collecting system data such as usernames, hostnames, and directory paths without user awareness.
FortiGuard Labs’ analysis reveals that the script encodes stolen data into hexadecimal format, obfuscates it by splitting and truncating directory paths, and sends it to attacker-controlled servers via dynamically generated URLs.
This obfuscation makes it difficult for security tools to detect or block the exfiltration. The harvested information could be used to compromise PayPal accounts, fuel further attacks, or be sold on the dark web.
Key Findings
The campaign’s scale is notable, with the threat actor publishing numerous packages in a short timeframe. Examples include oauth2-paypal v699.0.0, buttonfactoryserv-paypal v3.50.0, and tommyboytesting variants, all exhibiting identical malicious code.
The packages target small to medium-sized businesses and developers, exploiting the open-source ecosystem’s trust model.
FortiGuard AntiVirus has flagged the malicious files as Bash/TommyBoy.A!tr, covering packages like:
- bankingbundleserv_1.20.0
- buttonfactoryserv-paypal_3.50.0 and 3.99.0
- oauth2-paypal (multiple versions, e.g., 0.6.0, 699.0.0)
- compliancereadserv-paypal_2.1.0
The authors of tommyboy_h1 and tommyboy_h2 are likely the same person, publishing multiple malicious packages in a short time. We suspect that the same author created these packages to target PayPal users, Fortinet said..
FortiGuard Labs urges organizations and developers to:
- Verify NPM packages, avoiding those with suspicious names like “paypal” (e.g., oauth2-paypal).
- Monitor network logs for unexpected connections to unknown servers.
- Remove any detected malicious packages, change compromised credentials, and scan systems for additional threats.
- Ensure security software is updated to leverage Fortinet’s latest protections.
Indicators of Compromise
| File | Hash (sha256) | Detection |
| bankingbundleserv_1.20.0 | 796deae716a6d66b49a99d00e541056babe34fd2fcbcea0380491de4b792afba | Bash/TommyBoy.A!tr |
| buttonfactoryserv-paypal_3.50.0 | 18e45358462363996688ceabfc098e17f855d73842f460b34c683e58c728149f | Bash/TommyBoy.A!tr |
| buttonfactoryserv-paypal_3.99.0 | 88bd580aa51129e4e5fa69e148131874c862015e7c51d59497e11f22db2d72c6 | Bash/TommyBoy.A!tr |
| tommyboytesting_1.0.1 | 23664decf3c2f28a3f552dc98d90017926617969713ccccdc9f5fd3178d76dbf | Bash/TommyBoy.A!tr |
| tommyboytesting_1.0.2 | ba63fbf6f7bab000bc1b1bf92319415328cea238872450adbaac6a6069132779 | Bash/TommyBoy.A!tr |
| tommyboytesting_1.0.5 | f359b687fb9e1a4c27fdf5174380abc9877f940ef6a6fd4d38e9ef40bb778107 | Bash/TommyBoy.A!tr |
| tommyboytesting_1.0.6 | 815ebfc4fb5bddf1f9ca1b12ae2a1b0e37736a93ea9babe858747096ad9ce671 | Bash/TommyBoy.A!tr |
| tommyboytesting_1.0.7 | d21ae84e104a305b5aebee8e6fbb4837976ef26935dac90372637f913ef58154 | Bash/TommyBoy.A!tr |
| tommyboytesting_1.0.8 | 0c006540abcb768cad80a1a8ced926fa58f10cf9eb0be16c4185850df83bff82 | Bash/TommyBoy.A!tr |
| tommyboytesting_1.0.9 | 847e684a228292dc905205d7353ed9458e10129105fe3b387c4e9374d6afd783 | Bash/TommyBoy.A!tr |
| tommyboytesting_1.0.10 | ed6a350c4b1baa6f098293c328d0a62d35aafb4ab62b93e6f3a611f06be9aa29 | Bash/TommyBoy.A!tr |
| tommyboytesting_1.0.11 | 123480357ab54d2c2067640105b5683445777ae1d20fd52551a5df9327692103 | Bash/TommyBoy.A!tr |
| tommyboytesting_1.0.12 | 3710742057e470e8882a84412721ed19652e3f13977af21a937bad27d75b6f96 | Bash/TommyBoy.A!tr |
| compliancereadserv-paypal_2.1.0 | dd1a177126d48072381db98af74c964100c8ef2e43286f3a31114461251a164c | Bash/TommyBoy.A!tr |
| oauth2-paypal_0.6.0 | 0d8c5bb69c567e3949cc6e087610d79c886d9140d0eda88cc92d3ec63fb7a3b9 | Bash/TommyBoy.A!tr |
| oauth2-paypal_1.6.0 | b6bc001bc9b4171a27fb2a485cb3e3d8f23bc1ee6b4a03bbcfbba63b7d208477 | Bash/TommyBoy.A!tr |
| oauth2-paypal_2.6.0 | 2c7bf841a659fa1d8105d26f6664ebc3a78b99e0c071eb7f529503346c40f778 | Bash/TommyBoy.A!tr |
| oauth2-paypal_4.8.0 | cbbe1d5a7d4a721c61b9c3b8b6a8e5d65508f02c70e708698d8165d92e154383 | Bash/TommyBoy.A!tr |
| oauth2-paypal_7.5.0 | 25034c2542757ac93cb6008479a5bfc594f9e92f66249f6fb862447a18847ba7 | Bash/TommyBoy.A!tr |
| oauth2-paypal_10.0.0 | 148d3552db2acf469c84e26889336f06167c6cf455248e08d703282bc0556fb8 | Bash/TommyBoy.A!tr |
| oauth2-paypal_699.0.0 | 7186674c208242b8e6fdf7b0f4e7539218590618fee517aa264e8446247d3440 | Bash/TommyBoy.A!tr |
| Paymentapiplatformservice-paypal_1.20.0 | 7a48db17a02e94c97a329cc1a578777d8b4fb74221bdb22202369d6590917fd0 | Bash/TommyBoy.A!tr |
| Userbridge-paypal_1.20.0 | 7a48db17a02e94c97a329cc1a578777d8b4fb74221bdb22202369d6590917fd0 | Bash/TommyBoy.A!tr |
| userrelationship-paypal_1.20.0 | ca7dc2b0856f89e71ce9da6f179b34c8879456b5dffda0b5bd3f0fd73bab1c50 | Bash/TommyBoy.A!tr |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Security News Updates!
Also Read:
The post Beware Developers! Malicious NPM Packages Targeting PayPal Users to Steal Sensitive Data appeared first on Cyber Security News.
