Attackers Leverage Bun JavaScript Runtime to Distribute NWHStealer Infostealer
What Happened — Researchers observed threat actors packaging the Rust‑based infostealer NWHStealer inside executables built with the newly popular JavaScript runtime Bun. The technique lets the malware blend into legitimate software bundles and evade traditional detection.
Why It Matters for TPRM —
- Bun’s novelty reduces the likelihood of existing endpoint rules flagging the payload.
- The stealer is hosted on widely‑used developer platforms (GitHub, SourceForge, etc.), increasing the chance of third‑party software supply‑chain compromise.
- Successful infection harvests browser credentials, crypto wallets, and FTP data, leading to downstream account takeover and financial loss for client organizations.
Who Is Affected — Technology SaaS providers, software development firms, and any organization that consumes third‑party tools or libraries from public code repositories.
Recommended Actions —
- Review all third‑party software acquisition policies; enforce verification of source authenticity.
- Update endpoint detection rules to flag Bun‑based executables and uncommon packagers.
- Conduct regular supply‑chain risk assessments for open‑source dependencies.
Technical Notes — Attack vector exploits the THIRD_PARTY_DEPENDENCY model by embedding malicious code in Bun‑compiled binaries. No known CVE is involved; the threat relies on the runtime’s low detection profile. NWHStealer collects system info, browser data, crypto wallet credentials, and can execute additional payloads (e.g., XMRig). Persistence is achieved via scheduled tasks and UAC bypass attempts. Source: Malwarebytes Labs