{"id":58493,"date":"2025-04-15T17:00:00","date_gmt":"2025-04-15T17:00:00","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\/"},"modified":"2025-04-15T17:00:00","modified_gmt":"2025-04-15T17:00:00","slug":"threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\/","title":{"rendered":"Threat actors misuse Node.js to deliver malware and other malicious payloads"},"content":{"rendered":"<p>Since October 2024, Microsoft Defender Experts (DEX) has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information theft and data exfiltration. While traditional scripting languages like Python, PHP, and AutoIT remain widely used in threats, threat actors are now leveraging compiled JavaScript\u2014or even running the scripts directly in the command line using Node.js\u2014to facilitate malicious activity. This shift in threat actor techniques, tactics, and procedures (TTPs) might indicate that while Node.js-related malware aren\u2019t as prevalent, they\u2019re quickly becoming a part of the continuously evolving threat landscape.<\/p>\n<p>Node.js is an open-source, cross-platform JavaScript runtime environment that allows JavaScript code to run outside of a web browser. It\u2019s widely used and trusted by developers because it lets them build frontend and backend applications. However, threat actors are also leveraging these Node.js characteristics to try to blend malware with legitimate applications, bypass conventional security controls, and persist in target environments. &nbsp;<\/p>\n<p>Among the most recent attacks we\u2019ve observed leveraging Node.js include a malvertising campaign related to cryptocurrency trading that attempts to lure users into downloading a malicious installer disguised as legitimate software. The said campaign is still active as of April 2025. This blog provides details of its attack chain, along with an example of the emerging inline script execution technique. This blog also includes recommendations to help users and defenders reduce the impact of these attacks in their environments.<\/p>\n<h2 class=\"wp-block-heading\" id=\"malicious-ads-deliver-compiled-node-js-executables\">Malicious ads deliver compiled Node.js executables<\/h2>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/microsoft-365-life-hacks\/privacy-and-safety\/what-is-malvertising\">Malvertising<\/a> has been one of the most prevalent techniques in Node.js attacks we\u2019ve observed in customer environments. Attackers use malvertising campaigns to lure targets to fraudulent websites, where the targets then unknowingly download a malicious installer disguised as legitimate software. These fake websites often take advantage of popular themes such as financial services, software updates, and trending applications.<\/p>\n<p>In this campaign, the downloaded installer contains a malicious DLL that gathers system information and sets up a scheduled task for persistence. This sets the stage for its other techniques and activities, such as defense evasion, data collection, and payload delivery and execution.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Figure-1.-Overview-of-the-malvertising-campaign-leveraging-Node.js.webp\" alt=\"Diagram of the campaign depicting the threat actor luring target users into downloading an installer using malvertisements. The installer creates a scheduled task to run PowerShell commands and downloads additional scripts from C2 to perform various defense evasion tactics, like excluding a process and folder from being scanned. Detailed information such as system, user, and browser data is harvested and sent to the threat actor's C2 through HTTP POST.\" class=\"wp-image-138454 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Figure-1.-Overview-of-the-malvertising-campaign-leveraging-Node.js.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 1. Overview of the malvertising campaign leveraging Node.js<\/em><\/figcaption><\/figure>\n<h3 class=\"wp-block-heading\" id=\"initial-access-and-persistence\">Initial access and persistence<\/h3>\n<p>This campaign uses malicious ads with a cryptocurrency trading theme to lure the target user into visiting a website and downloading a malicious installer disguised as a legitimate file from cryptocurrency-trading platforms like Binance or TradingView. This installer is a Wix-built package containing a malicious <em>CustomActions.dll<\/em>. When launched, the installer loads the DLL, which then gathers basic system information through a Windows Management Instrumentation (WMI) query and creates a scheduled task to ensure persistence of a PowerShell command. Simultaneously, the DLL launches a decoy by opening an <em>msedge_proxy<\/em> window that displays a legitimate cryptocurrency trading website.<\/p>\n<h3 class=\"wp-block-heading\" id=\"defense-evasion\">Defense evasion<\/h3>\n<p>The created scheduled task runs PowerShell commands designed to exclude both the PowerShell process and the current directory from being scanned by Microsoft Defender for Endpoint. This action prevents subsequent PowerShell executions from being flagged, allowing the attack to continue undisturbed.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Figure-2.-Command-line-used-for-the-exclusions.webp\" alt=\"Screenshot of the command line used for exclusions\" class=\"wp-image-138455 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Figure-2.-Command-line-used-for-the-exclusions.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 2. Command line used for the exclusions<\/em><\/figcaption><\/figure>\n<h3 class=\"wp-block-heading\" id=\"data-collection-and-exfiltration\">Data collection and exfiltration<\/h3>\n<p>With the exclusions set, an obfuscated PowerShell command is then launched through scheduled tasks to continuously fetch and run scripts from remote URLs. These scripts gather detailed system information, including:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Windows information:<\/strong> Registered owner, system root, installed software, email addresses<\/li>\n<li><strong>BIOS information:<\/strong> Manufacturer, name, release date, version<\/li>\n<li><strong>System information:<\/strong> Name, domain, manufacturer, model, domain membership, memory, logical processors, graphics processing units (GPUs), processors, network adapters<\/li>\n<li><strong>Operating system information:<\/strong> Name, version, locale, user access control (UAC) settings, country, language, time zone, install date<\/li>\n<\/ul>\n<p>All this information is structured into a nested hash table, converted into JSON format, and then sent using HTTP POST to the attacker\u2019s command-and-control (C2) server.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Figure-3.-Excerpts-from-the-script-that-gathers-and-exfiltrates-data.webp\" alt=\"A screen shot of the malicious script that gathers and exfiltrates data\" class=\"wp-image-138456 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Figure-3.-Excerpts-from-the-script-that-gathers-and-exfiltrates-data.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 3. Excerpts from the script that gathers and exfiltrates data<\/em><\/figcaption><\/figure>\n<h3 class=\"wp-block-heading\" id=\"payload-delivery\">Payload delivery<\/h3>\n<p>After the data collection activity, another PowerShell script is launched to perform the following actions:<\/p>\n<ul class=\"wp-block-list\">\n<li>Download an archive file from the C2 and extract its contents, which typically include:\n<ul>\n<li><em>node.exe<\/em>&nbsp;(Node.js runtime)<\/li>\n<\/ul>\n<ul>\n<li>A JSC file (JavaScript compiled file)<\/li>\n<\/ul>\n<ul class=\"wp-block-list\">\n<li>Several supporting library files\/modules<\/li>\n<\/ul>\n<\/li>\n<li>Turn off proxy settings in the Windows registry<\/li>\n<li>Launch the JSC that starts the attack\u2019s next stage<\/li>\n<\/ul>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Figure-4.-Excerpts-from-the-script-that-downloads-and-launches-the-payload.webp\" alt=\"A screen shot of the malicious script that downloads and launches the payload\" class=\"wp-image-138457 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Figure-4.-Excerpts-from-the-script-that-downloads-and-launches-the-payload.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 4. Excerpts from the script that downloads and launches the payload<\/em><\/figcaption><\/figure>\n<h3 class=\"wp-block-heading\" id=\"payload-execution\">Payload execution<\/h3>\n<p>The Node.js executable launches the downloaded JSC file, which then performs the following routines:<\/p>\n<ul class=\"wp-block-list\">\n<li>Load multiple library modules<\/li>\n<li>Establish network connections<\/li>\n<li>Add certificates to the device<\/li>\n<li>Read and possibly exfiltrate sensitive browser information<\/li>\n<\/ul>\n<p>These routines might indicate follow-on malicious activities such as credential theft, evasion, or secondary payload execution, which are commonly observed in other malware campaigns leveraging Node.js.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Figure-5.-Command-line-used-to-launch-the-JSC-file.webp\" alt=\"Screenshot of the command line used to launch the JSC file\" class=\"wp-image-138459 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Figure-5.-Command-line-used-to-launch-the-JSC-file.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 5. Command line used to launch the JSC file<\/em><\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\" id=\"beyond-executables-inline-script-execution-in-node-js\">Beyond executables: Inline script execution in Node.js<\/h2>\n<p>Another notable technique we\u2019ve observed emerging from campaigns leveraging Node.js involves inline JavaScript execution. In this technique, malicious scripts are run directly through Node.js to facilitate the deployment of malware.<\/p>\n<p>One observed instance of this method was through a ClickFix social engineering attack, which attempts to deceive users into executing a malicious PowerShell command. This command initiates the download and installation of multiple components, including the Node.js binary (<em>node.exe<\/em>) and additional required modules. Once all the files are in place, the PowerShell script uses the Node.js environment to execute a JavaScript code directly in the command, rather than running it from a file.<\/p>\n<p>The JavaScript further conducts network discovery by executing commands to map the domain structure and identify high-value assets. It also disguises the command-and-control traffic as legitimate Cloudflare activity and gains persistence by modifying registry run keys.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Figure-6.-Excerpts-from-the-malicious-script-highlighting-hardcoded-C2-servers.webp\" alt=\"A screen shot of the malicious script, highlighting hardcoded C2 servers\" class=\"wp-image-138460 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Figure-6.-Excerpts-from-the-malicious-script-highlighting-hardcoded-C2-servers.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 6. Excerpts from the malicious script, highlighting hardcoded C2 servers<\/em><\/figcaption><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Figure-7.-Excerpts-from-the-malicious-script-highlighting-core-HTTP-functions.webp\" alt=\"A screen shot of the malicious script except, highlighting core HTTP functions\" class=\"wp-image-138461 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Figure-7.-Excerpts-from-the-malicious-script-highlighting-core-HTTP-functions.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 7. Excerpts from the malicious script, highlighting core HTTP functions<\/em><\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\" id=\"recommendations\">Recommendations<\/h2>\n<p>Organizations can follow these recommendations to mitigate threats associated with Node.js misuse: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Educate users.<\/strong> Warn them about the risks of downloading software from unverified sources.&nbsp;<\/li>\n<li><strong>Monitor Node.js execution.<\/strong> Flag unauthorized <em>node.exe<\/em> processes.&nbsp;<\/li>\n<li><strong>Enforce PowerShell logging.<\/strong> Turn on script block logging to track obfuscation.&nbsp;<\/li>\n<li><strong>Turn<\/strong><strong> on endpoint protection.<\/strong> Ensure endpoint detection and response (EDR) or extended detection and response (XDR) solutions are actively monitoring script execution.&nbsp;<\/li>\n<li><strong>Restrict outbound C2 communications.<\/strong> Implement firewall rules to block suspicious domains.&nbsp;<\/li>\n<\/ul>\n<p>Microsoft also recommends the following mitigations to reduce the impact of this threat.<\/p>\n<ul class=\"wp-block-list\">\n<li>Turn on&nbsp;<a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/enable-cloud-protection-microsoft-defender-antivirus\" target=\"_blank\" rel=\"noreferrer noopener\">cloud-delivered protection<\/a>&nbsp;in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats.<\/li>\n<li>Run&nbsp;<a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/edr-in-block-mode\" target=\"_blank\" rel=\"noreferrer noopener\">EDR in block mode<\/a>&nbsp;so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.<\/li>\n<li>Allow&nbsp;<a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/automated-investigations\" target=\"_blank\" rel=\"noreferrer noopener\">investigation and remediation<\/a>&nbsp;in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.<\/li>\n<li>Understand and use PowerShell\u2019s <a href=\"https:\/\/learn.microsoft.com\/powershell\/module\/microsoft.powershell.core\/about\/about_execution_policies\">execution policies<\/a>, which control how scripts are loaded and run. Set an appropriate execution policy based on your needs. Remember that execution policy alone is not foolproof; it can be bypassed.<\/li>\n<li>Turn on and monitor PowerShell logging.\n<ul>\n<li>Turn on script block logging, module logging, and transcription. These logs provide a trail of activity and help identify malicious behavior.<\/li>\n<\/ul>\n<\/li>\n<li>Turn on <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/prevent-changes-to-security-settings-with-tamper-protection\">tamper protection features<\/a> to prevent attackers from stopping security services. Combine tamper protection with the <a href=\"https:\/\/learn.microsoft.com\/windows\/client-management\/mdm\/defender-csp\">DisableLocalAdminMerge<\/a> setting to prevent attackers from using local administrator privileges to set antivirus exclusions.<\/li>\n<\/ul>\n<p>Microsoft Defender XDR customers can turn on&nbsp;<a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/attack-surface-reduction\" target=\"_blank\" rel=\"noreferrer noopener\">attack surface reduction rules<\/a>&nbsp;to prevent common attack techniques:&nbsp;<\/p>\n<h2 class=\"wp-block-heading\" id=\"microsoft-defender-xdr-detections\">Microsoft Defender XDR detections<\/h2>\n<p>Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.<\/p>\n<p>Customers with provisioned access can also use <a href=\"https:\/\/learn.microsoft.com\/defender-xdr\/security-copilot-in-microsoft-365-defender\">Microsoft Security Copilot in Microsoft Defender<\/a> to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.<\/p>\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-for-endpoint\">Microsoft Defender for Endpoint&nbsp;<\/h3>\n<p>The following alerts might indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity.&nbsp;&nbsp;<\/p>\n<ul class=\"wp-block-list\">\n<li>Suspicious PowerShell download or encoded command execution&nbsp;<\/li>\n<li>Suspicious Task Scheduler activity&nbsp;<\/li>\n<li>Suspicious behavior by powershell.exe was observed&nbsp;<\/li>\n<li>Node binary loading suspicious combination of libraries&nbsp;<\/li>\n<li>Activity that might lead to information stealer&nbsp;<\/li>\n<li>Possible theft of passwords and other sensitive web browser information&nbsp;<\/li>\n<li>Suspicious DPAPI Activity&nbsp;<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"microsoft-security-copilot\">Microsoft Security Copilot<\/h2>\n<p>Security Copilot customers can use the standalone experience to <a href=\"https:\/\/learn.microsoft.com\/copilot\/security\/prompting-security-copilot#create-your-own-prompts\">create their own prompts<\/a> or run the following <a href=\"https:\/\/learn.microsoft.com\/copilot\/security\/using-promptbooks\">pre-built promptbooks<\/a> to automate incident response or investigation tasks related to this threat:<\/p>\n<ul class=\"wp-block-list\">\n<li>Incident investigation<\/li>\n<li>Microsoft User analysis<\/li>\n<li>Threat Intelligence 360 report based on MDTI article<\/li>\n<\/ul>\n<p>Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.<\/p>\n<h2 class=\"wp-block-heading\" id=\"threat-intelligence-reports\">Threat intelligence reports<\/h2>\n<p>Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.<\/p>\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-threat-intelligence\">Microsoft Defender Threat Intelligence<\/h3>\n<p>Microsoft Security Copilot customers can also use the <a href=\"https:\/\/learn.microsoft.com\/defender\/threat-intelligence\/security-copilot-and-defender-threat-intelligence?bc=%2Fsecurity-copilot%2Fbreadcrumb%2Ftoc.json&amp;toc=%2Fsecurity-copilot%2Ftoc.json#turn-on-the-security-copilot-integration-in-defender-ti\">Microsoft Security Copilot integration<\/a> in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the <a href=\"https:\/\/learn.microsoft.com\/defender\/threat-intelligence\/using-copilot-threat-intelligence-defender-xdr\">embedded experience<\/a> in the Microsoft Defender portal to get more information about this threat actor.<\/p>\n<h2 class=\"wp-block-heading\" id=\"hunting-queries\">Hunting queries<\/h2>\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-xdr\">Microsoft Defender XDR<\/h3>\n<p>Microsoft Defender XDR customers can run the following query to find related activity in their networks:<\/p>\n<p><strong>Suspicious JSC file<\/strong>&nbsp;<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"10\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; notranslate\" title>\nDeviceProcessEvents | where isnotempty(DeviceId) | where ProcessVersionInfoOriginalFileName == 'node.exe' \u202f | where (ProcessCommandLine has_all (\".jsc\", \".js\") and ProcessCommandLine matches regex @\"\\\\\\w*.jsc\") <\/pre>\n<\/div>\n<p><strong>Suspicious inline JavaScript execution<\/strong>&nbsp;<\/p>\n<p>Identify suspicious inline JavaScript&nbsp;<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"13\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; notranslate\" title>\nDeviceProcessEvents | where isnotempty(DeviceId) | where ProcessVersionInfoOriginalFileName == 'node.exe' \u202f | where ProcessCommandLine has_all ('http', 'execSync', \u202f'spawn', 'fs', 'path', 'zlib') <\/pre>\n<\/div>\n<p><strong>Node.js-based infostealer activity<\/strong>&nbsp;<\/p>\n<p>Detect malicious access to sensitive credentials using Windows DPAPI&nbsp;<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"10\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; notranslate\" title>\nDeviceEvents | where isnotempty(DeviceId) | where EtwEventId == 16385 \u202f | where InitiatingProcessParentFileName endswith \"powershell.exe\" | where InitiatingProcessFileName =~ \"node.exe\" | where InitiatingProcessCommandLine \u202fhas_all (\"-r\", \".js\") and InitiatingProcessCommandLine endswith \".jsc\" <\/pre>\n<\/div>\n<h3 class=\"wp-block-heading\" id=\"microsoft-sentinel\">Microsoft Sentinel<\/h3>\n<p>Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the <a href=\"https:\/\/learn.microsoft.com\/azure\/sentinel\/sentinel-solutions-deploy\">Microsoft Sentinel Content Hub<\/a> to have the analytics rule deployed in their Sentinel workspace.<\/p>\n<p>Below are the queries using&nbsp;<a href=\"https:\/\/learn.microsoft.com\/azure\/sentinel\/normalization\">Sentinel Advanced Security Information Model (ASIM) functions<\/a>&nbsp;to hunt threats across both Microsoft first-party and third-party data sources. ASIM also supports deploying parsers to specific workspaces&nbsp;<a href=\"https:\/\/aka.ms\/DeployASIM\">from GitHub<\/a>, using an ARM template or manually.<\/p>\n<p>Detect network indicators of compromise communication to C2 servers:<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"27\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; notranslate\" title>\nlet selectedTimestamp = datetime(2025-04-15T00:00:00.0000000Z);\nlet ip = dynamic(['216.245.184.181', '212.237.217.182', '168.119.96.41']);\nlet url = dynamic(['sublime-forecasts-pale-scored.trycloudflare.com', 'washing-cartridges-watts-flags.trycloudflare.com', 'investigators-boxing-trademark-threatened.trycloudflare.com', 'fotos-phillips-princess-baker.trycloudflare.com', 'casting-advisors-older-invitations.trycloudflare.com', 'complement-parliamentary-chairs-hc.trycloudflare.com']);\nsearch in (AlertEvidence,BehaviorEntities,CommonSecurityLog,DeviceInfo,DeviceNetworkEvents,DeviceNetworkInfo,DnsEvents,SecurityEvent,VMConnection,WindowsFirewall)\nTimeGenerated between ((selectedTimestamp - 1m) .. (selectedTimestamp + 90d)) \/\/ from April 15th runs the search for last 90 days, change the above selectedTimestamp or 90d accordingly.\nand (RemoteIP in (ip) or DestinationIP in (ip) or DeviceCustomIPv6Address1 in (ip) or DeviceCustomIPv6Address2 in (ip) or DeviceCustomIPv6Address3 in (ip) or DeviceCustomIPv6Address4 in (ip) or MaliciousIP in (ip) or SourceIP in (ip) or PublicIP in (ip) or LocalIPType in (ip) or RemoteIPType in (ip) or IPAddresses in (ip) or IPv4Dhcp in (ip) or IPv6Dhcp in (ip) or IpAddress in (ip) or NASIPv4Address in (ip) or NASIPv6Address in (ip) or RemoteIpAddress in (ip) or RemoteUrl in (url))\n<\/pre>\n<\/div>\n<h2 class=\"wp-block-heading\" id=\"mitre-att-ck-tactics-and-techniques-observed\">MITRE ATT&amp;CK tactics and techniques observed&nbsp;<br \/>&nbsp;<\/h2>\n<figure class=\"wp-block-table table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"22.5\">\n<tr>\n<td><strong>Tactic<\/strong>&nbsp;<\/td>\n<td><strong>Technique<\/strong>&nbsp;<\/td>\n<td><strong>Description<\/strong>&nbsp;<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td><strong>Initial Access<\/strong>&nbsp;<\/td>\n<td>T1189 Drive-by Compromise&nbsp;<\/td>\n<td>Malware is downloaded from malicious websites, such as fake cryptocurrency trading websites<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td><strong>Persistence<\/strong>&nbsp;<\/td>\n<td>T1053.005 Scheduled Task\/Job: Scheduled Task&nbsp;<\/td>\n<td>Ensures persistence by scheduling tasks or modifying registry settings<\/td>\n<\/tr>\n<tr readability=\"7\">\n<td><strong>Defense Evasion<\/strong>&nbsp;<\/td>\n<td>T1564.001 Hide Artifacts: Hidden Files and Directories&nbsp;<br \/>T1027 Obfuscated Files or Information&nbsp;<br \/>T1497.003 Virtualization\/Sandbox Evasion: Time Based Evasion&nbsp;<\/td>\n<td>Bypasses security controls using hidden files, obfuscation, and sandbox detection&nbsp;<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td><strong>Discovery<\/strong>&nbsp;<\/td>\n<td>T1082 System Information Discovery&nbsp;<\/td>\n<td>Gathers detailed system information, including hardware and software data<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td><strong>Credential Access<\/strong>&nbsp;<\/td>\n<td>T1003 OS Credential Dumping<\/td>\n<td>Extracts system credentials and browser data<\/td>\n<\/tr>\n<tr readability=\"10\">\n<td><strong>Collection<\/strong>&nbsp;<\/td>\n<td>T1005 Data from Local System<br \/>T1082 System Information Discovery&nbsp;<\/td>\n<td>Captures system details, installed software, emails, BIOS data, running tasks, and network information&nbsp;<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td><strong>Command and Control<\/strong>&nbsp;<\/td>\n<td>T1071.001 Application Layer Protocol: Web Protocols&nbsp;<br \/>T1105 Ingress Tool Transfer&nbsp;<\/td>\n<td>Periodically connects to remote servers (for example, Cloudflare tunnels) to send stolen data and receive commands<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td><strong>Exfiltration<\/strong>&nbsp;<\/td>\n<td>T1041 Exfiltration Over C2 Channel&nbsp;<\/td>\n<td>Sends collected data to a remote server through HTTP POST<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h2 class=\"wp-block-heading\" id=\"learn-more\">Learn more<\/h2>\n<p>To know how Microsoft can help your team stop similar threats and prevent future compromise with human-led managed services, check out <a href=\"https:\/\/www.microsoft.com\/security\/business\/services\/microsoft-defender-experts-xdr\">Microsoft Defender Experts for XDR<\/a>.<\/p>\n<p>For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog:&nbsp;<a href=\"https:\/\/aka.ms\/threatintelblog\">https:\/\/aka.ms\/threatintelblog<\/a>.<\/p>\n<p>To get notified about new publications and to join discussions on social media, follow us on LinkedIn at <a href=\"https:\/\/www.linkedin.com\/showcase\/microsoft-threat-intelligence\">https:\/\/www.linkedin.com\/showcase\/microsoft-threat-intelligence<\/a>, and on X (formerly Twitter) at&nbsp;<a href=\"https:\/\/x.com\/MsftSecIntel\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/x.com\/MsftSecIntel<\/a>.<\/p>\n<p>To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: <a href=\"https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence\">https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence<\/a>.<\/p>\n<p> READ MORE <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/04\/15\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Since October 2024, Microsoft Defender Experts has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information theft and data exfiltration.<br \/>\nThe post Threat actors misuse Node.js to deliver malware and other malicious payloads appeared first on Microsoft Security Blog. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":58494,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[5449,357],"class_list":["post-58493","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-secure","tag-credential-theft","tag-windows"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Threat actors misuse Node.js to deliver malware and other malicious payloads 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Threat actors misuse Node.js to deliver malware and other malicious payloads 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2025-04-15T17:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Figure-1.-Overview-of-the-malvertising-campaign-leveraging-Node.js.webp\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Threat actors misuse Node.js to deliver malware and other malicious payloads\",\"datePublished\":\"2025-04-15T17:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\\\/\"},\"wordCount\":2121,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads-scaled.webp\",\"keywords\":[\"Credential Theft\",\"Windows\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\\\/\",\"name\":\"Threat actors misuse Node.js to deliver malware and other malicious payloads 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads-scaled.webp\",\"datePublished\":\"2025-04-15T17:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads-scaled.webp\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads-scaled.webp\",\"width\":2560,\"height\":1516},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Credential Theft\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/credential-theft\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Threat actors misuse Node.js to deliver malware and other malicious payloads\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Threat actors misuse Node.js to deliver malware and other malicious payloads 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\/","og_locale":"en_US","og_type":"article","og_title":"Threat actors misuse Node.js to deliver malware and other malicious payloads 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2025-04-15T17:00:00+00:00","og_image":[{"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/Figure-1.-Overview-of-the-malvertising-campaign-leveraging-Node.js.webp","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Threat actors misuse Node.js to deliver malware and other malicious payloads","datePublished":"2025-04-15T17:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\/"},"wordCount":2121,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/04\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads-scaled.webp","keywords":["Credential Theft","Windows"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\/","url":"https:\/\/www.threatshub.org\/blog\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\/","name":"Threat actors misuse Node.js to deliver malware and other malicious payloads 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/04\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads-scaled.webp","datePublished":"2025-04-15T17:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/04\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads-scaled.webp","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/04\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads-scaled.webp","width":2560,"height":1516},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Credential Theft","item":"https:\/\/www.threatshub.org\/blog\/tag\/credential-theft\/"},{"@type":"ListItem","position":3,"name":"Threat actors misuse Node.js to deliver malware and other malicious payloads"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/58493","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=58493"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/58493\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/58494"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=58493"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=58493"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=58493"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}