{"id":133911,"date":"2025-11-20T14:29:05","date_gmt":"2025-11-20T14:29:05","guid":{"rendered":"https:\/\/cybersecuritynews.com\/?p=133911"},"modified":"2025-11-20T14:29:09","modified_gmt":"2025-11-20T14:29:09","slug":"tsundere-botnet-abusing-popular-node-js-and-cryptocurrency-packages","status":"publish","type":"post","link":"https:\/\/cybersecuritynews.com\/tsundere-botnet-abusing-popular-node-js-and-cryptocurrency-packages\/","title":{"rendered":"Tsundere Botnet Abusing Popular Node.js and Cryptocurrency Packages to Attack Windows, Linux, and macOS Users"},"content":{"rendered":"\n<p>Tsundere represents a significant shift in botnet tactics, leveraging the power of legitimate Node.js packages and blockchain technology to distribute malware across multiple operating systems.<\/p>\n\n\n\n<p>First identified around mid-2025 by Kaspersky GReAT researchers, this botnet demonstrates the evolving sophistication of supply chain attacks.<\/p>\n\n\n\n<p>The threat originates from activity first observed in October 2024, where attackers created 287 malicious npm packages using typosquatting\u2014mimicking the names of popular libraries like Puppeteer and Bignum.js to deceive developers into installation.<\/p>\n\n\n\n<p>The infection vector has evolved considerably since then. Tsundere spreads through multiple pathways, including Remote Monitoring and <a href=\"https:\/\/cybersecuritynews.com\/product-management-tools\/\" target=\"_blank\" rel=\"noreferrer noopener\">Management tools<\/a> and disguised game installers that capitalize on piracy communities.<\/p>\n\n\n\n<p>Samples discovered in the wild bear names like &#8220;valorant,&#8221; &#8220;cs2,&#8221; and &#8220;r6x,&#8221; specifically targeting first-person shooter enthusiasts.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhjaT9bVYWTO6eiIJrQ7ZmEzJz0mK4F6WBsqMa-ycqtytZpj1P3CXI2VB5ei_24WN0lYMtr7UEu0jAkKOonnF1K_Tdj57GEATe1tRL7sF4BkIwOV5FEt4JKiYrBAEM6BrIWhH4reFRkvLEN6SxI_CJ-O5rMUW4apGWWI19YIp_sZGyVlXRHcbSONryx-vI\/s16000\/Smart%20contract%20containing%20the%20Tsundere%20botnet%20WebSocket%20C2%20(Source%20-%20Securelist).webp\" alt=\"Smart contract containing the Tsundere botnet WebSocket C2 (Source - Securelist)\" \/><figcaption class=\"wp-element-caption\">Smart contract containing the Tsundere botnet WebSocket C2 (Source &#8211; Securelist)<\/figcaption><\/figure><\/div>\n\n\n<p>This approach proves highly effective at evading traditional security awareness since users expect these applications anyway.<\/p>\n\n\n\n<p>The botnet particularly threatens Windows users, though the initial campaign exposed systems across Windows, Linux, and macOS platforms when it operated through <a href=\"https:\/\/cybersecuritynews.com\/new-malware-in-npm-package-steals-browser-passwords\/\" target=\"_blank\" rel=\"noreferrer noopener\">npm package<\/a> deployment.<\/p>\n\n\n\n<p>The infrastructure behind Tsundere reveals a sophisticated understanding of modern attack methods. Rather than relying on traditional centralized command-and-control infrastructure, the botnet utilizes Ethereum blockchain smart contracts to store and retrieve C2 addresses.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgyPKpv92Sz2OVNW0WXydXfGnnBFtBbHs5J9e_LfdYk6njvztHK0jvNvS8qGJx_4N9xCVQvP_q5EVj91D6lWLZHWgcy08pWtoze613xDdWK3ABiY-z-FTvX2DUE0Ksq3Qemd7p9NUlf3pGfdTBs2vSZGybAPYUc1OJOMncqp0waScXsIx3sQhdDYltoB8I\/s16000\/Tsundere%20communication%20process%20with%20the%20C2%20via%20WebSockets%20(Source%20-%20Securelist).webp\" alt=\"Tsundere communication process with the C2 via WebSockets (Source - Securelist)\" \/><figcaption class=\"wp-element-caption\">Tsundere communication process with the C2 via WebSockets (Source &#8211; Securelist)<\/figcaption><\/figure><\/div>\n\n\n<p>This approach adds resilience by making servers difficult to take down through conventional means. The threat actor, identified as koneko\u2014a Russian-speaking operative\u2014operates a professional marketplace where other cybercriminals can purchase botnet services or deploy their own functionality.<\/p>\n\n\n\n<p>Securelist security analysts <a href=\"https:\/\/securelist.com\/tsundere-node-js-botnet-uses-ethereum-blockchain\/117979\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">identified<\/a> the malware after discovering connections between the current campaign and earlier supply chain attacks.<\/p>\n\n\n\n<p>Their investigation revealed that the threat actor has since resurfaced with enhanced capabilities, launching Tsundere as an evolution of previous malware efforts.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiINgz4i0hSl-_nfwWYUKpMs-YkiXK2fptHYhh2pO3dhA7vIFgUMEvasvWg8SMpjuHJfVuQ0YdrAp4hbyiSdUGSCEldVbNjZes-yALeGd33y-nqWO_oaRsGu8G-MNtFEsxg_hjy9CX1b_dDZqKAfVgYjQgdSSE_tmmjBrAfLFIdsFmKg5rOivqfdq6Ht8w\/s16000\/Tsundere%20botnet%20panel%20login%20(Source%20-%20Securelist).webp\" alt=\"Tsundere botnet panel login (Source - Securelist)\" \/><figcaption class=\"wp-element-caption\">Tsundere botnet panel login (Source &#8211; Securelist)<\/figcaption><\/figure><\/div>\n\n\n<p>The panel supports both MSI installer and <a href=\"https:\/\/cybersecuritynews.com\/cybereye-rat-disable-windows-defender-using-powershell\/\" target=\"_blank\" rel=\"noreferrer noopener\">PowerShell<\/a> script delivery mechanisms, giving attackers flexibility in deployment strategies across different network environments and defenses.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-tsundere-maintains-persistence-through-node-js-abuse\"><strong>How Tsundere Maintains Persistence Through Node.js Abuse<\/strong><\/h2>\n\n\n\n<p>The infection mechanism begins when an MSI installer or PowerShell script executes on the victim&#8217;s system, dropping legitimate Node.js runtime files into AppData alongside malicious JavaScript.<\/p>\n\n\n\n<p>The setup uses a hidden PowerShell command that spawns a Node.js process executing obfuscated loader code.<\/p>\n\n\n\n<p>This loader script decrypts the main bot using AES-256-CBC encryption before establishing the botnet environment. The bot automatically installs three critical npm packages: ws for WebSocket communication, ethers for <a href=\"https:\/\/cybersecuritynews.com\/malicious-npm-packages-attacking-ethereum-wallets\/\" target=\"_blank\" rel=\"noreferrer noopener\">Ethereum blockchain<\/a> interaction, and pm2 for process persistence.<\/p>\n\n\n\n<p>The pm2 package plays a crucial role in maintaining presence on compromised machines. It creates registry entries that ensure the bot restarts automatically whenever a user logs in, achieving effective <a href=\"https:\/\/cybersecuritynews.com\/detecting-and-responding-to-new-nation-state-persistence-techniques\/\" target=\"_blank\" rel=\"noreferrer noopener\">persistence<\/a>.<\/p>\n\n\n\n<p>The bot then queries Ethereum blockchain nodes through public RPC providers, retrieving the current C2 server address from a smart contract variable.<\/p>\n\n\n\n<p>This clever approach means defenders cannot simply block a known IP address\u2014the attackers rotate C2 infrastructure at will through blockchain transactions, rendering traditional IP-based blocking ineffective.<\/p>\n\n\n\n<p>Once connected, the bot establishes encrypted communication and awaits commands from operators, which arrive as dynamic JavaScript code for execution.<\/p>\n\n\n\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 91%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google<\/a>.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Tsundere represents a significant shift in botnet tactics, leveraging the power of legitimate Node.js packages and blockchain technology to distribute malware across multiple operating systems. First identified around mid-2025 by Kaspersky GReAT researchers, this botnet demonstrates the evolving sophistication of supply chain attacks. The threat originates from activity first observed in October 2024, where attackers [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":133942,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgNxxSqz748StSgRl61aXu3Ug_1PQUI3wYspiidrpWdPlJXi6NEbAt-Pth_OhDnw6oA7d_oK-CW6bJ9Dx3MY-i3_CT9lSVxrupR4qQ8PZ_i4RqbBv0C5JtyMlY0JwvK_rG9M0mmG8ZLUcESOMsSjtgwBTTip0TcaVrpbfI5AFYpDEExePcPgD7auoL-WCs\/s16000\/Tsundere%20Botnet%20Abusing%20Popular%20Node.js%20and%20Cryptocurrency%20Packages%20to%20Attack%20Windows,%20Linux,%20and%20macOS%20Users.webp","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[11,48],"tags":[149,151],"class_list":{"0":"post-133911","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-cyber-security-news","8":"category-threats","9":"tag-cyber-security","10":"tag-cyber-security-news"},"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v25.7.1 (Yoast SEO v25.7) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Tsundere Botnet Abusing Popular Node.js and Cryptocurrency Packages to Attack Windows, Linux, and macOS Users<\/title>\n<meta name=\"description\" content=\"Tsundere botnet uses malicious npm packages, RMM tools, and fake game installers to spread malware across systems via typosquatted libraries.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cybersecuritynews.com\/tsundere-botnet-abusing-popular-node-js-and-cryptocurrency-packages\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Tsundere Botnet Abusing Popular Node.js and Cryptocurrency Packages to Attack Windows, Linux, and macOS Users\" \/>\n<meta property=\"og:description\" content=\"Tsundere botnet uses malicious npm packages, RMM tools, and fake game installers to spread malware across systems via typosquatted libraries.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cybersecuritynews.com\/tsundere-botnet-abusing-popular-node-js-and-cryptocurrency-packages\/\" \/>\n<meta property=\"og:site_name\" content=\"Cyber Security News\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Hackingtutorialsandnews\" \/>\n<meta property=\"article:published_time\" content=\"2025-11-20T14:29:05+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-11-20T14:29:09+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgNxxSqz748StSgRl61aXu3Ug_1PQUI3wYspiidrpWdPlJXi6NEbAt-Pth_OhDnw6oA7d_oK-CW6bJ9Dx3MY-i3_CT9lSVxrupR4qQ8PZ_i4RqbBv0C5JtyMlY0JwvK_rG9M0mmG8ZLUcESOMsSjtgwBTTip0TcaVrpbfI5AFYpDEExePcPgD7auoL-WCs\/s16000\/Tsundere%20Botnet%20Abusing%20Popular%20Node.js%20and%20Cryptocurrency%20Packages%20to%20Attack%20Windows,%20Linux,%20and%20macOS%20Users.webp\" \/><meta property=\"og:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgNxxSqz748StSgRl61aXu3Ug_1PQUI3wYspiidrpWdPlJXi6NEbAt-Pth_OhDnw6oA7d_oK-CW6bJ9Dx3MY-i3_CT9lSVxrupR4qQ8PZ_i4RqbBv0C5JtyMlY0JwvK_rG9M0mmG8ZLUcESOMsSjtgwBTTip0TcaVrpbfI5AFYpDEExePcPgD7auoL-WCs\/s16000\/Tsundere%20Botnet%20Abusing%20Popular%20Node.js%20and%20Cryptocurrency%20Packages%20to%20Attack%20Windows,%20Linux,%20and%20macOS%20Users.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"1600\" \/>\n\t<meta property=\"og:image:height\" content=\"900\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Tushar Subhra Dutta\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgNxxSqz748StSgRl61aXu3Ug_1PQUI3wYspiidrpWdPlJXi6NEbAt-Pth_OhDnw6oA7d_oK-CW6bJ9Dx3MY-i3_CT9lSVxrupR4qQ8PZ_i4RqbBv0C5JtyMlY0JwvK_rG9M0mmG8ZLUcESOMsSjtgwBTTip0TcaVrpbfI5AFYpDEExePcPgD7auoL-WCs\/s16000\/Tsundere%20Botnet%20Abusing%20Popular%20Node.js%20and%20Cryptocurrency%20Packages%20to%20Attack%20Windows,%20Linux,%20and%20macOS%20Users.webp\" \/>\n<meta name=\"twitter:creator\" content=\"@The_Cyber_News\" \/>\n<meta name=\"twitter:site\" content=\"@The_Cyber_News\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Tushar Subhra Dutta\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Tsundere Botnet Abusing Popular Node.js and Cryptocurrency Packages to Attack Windows, Linux, and macOS Users","description":"Tsundere botnet uses malicious npm packages, RMM tools, and fake game installers to spread malware across systems via typosquatted libraries.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cybersecuritynews.com\/tsundere-botnet-abusing-popular-node-js-and-cryptocurrency-packages\/","og_locale":"en_US","og_type":"article","og_title":"Tsundere Botnet Abusing Popular Node.js and Cryptocurrency Packages to Attack Windows, Linux, and macOS Users","og_description":"Tsundere botnet uses malicious npm packages, RMM tools, and fake game installers to spread malware across systems via typosquatted libraries.","og_url":"https:\/\/cybersecuritynews.com\/tsundere-botnet-abusing-popular-node-js-and-cryptocurrency-packages\/","og_site_name":"Cyber Security News","article_publisher":"https:\/\/www.facebook.com\/Hackingtutorialsandnews","article_published_time":"2025-11-20T14:29:05+00:00","article_modified_time":"2025-11-20T14:29:09+00:00","og_image":[{"url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgNxxSqz748StSgRl61aXu3Ug_1PQUI3wYspiidrpWdPlJXi6NEbAt-Pth_OhDnw6oA7d_oK-CW6bJ9Dx3MY-i3_CT9lSVxrupR4qQ8PZ_i4RqbBv0C5JtyMlY0JwvK_rG9M0mmG8ZLUcESOMsSjtgwBTTip0TcaVrpbfI5AFYpDEExePcPgD7auoL-WCs\/s16000\/Tsundere%20Botnet%20Abusing%20Popular%20Node.js%20and%20Cryptocurrency%20Packages%20to%20Attack%20Windows,%20Linux,%20and%20macOS%20Users.webp","type":"","width":"","height":""},{"width":1600,"height":900,"url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgNxxSqz748StSgRl61aXu3Ug_1PQUI3wYspiidrpWdPlJXi6NEbAt-Pth_OhDnw6oA7d_oK-CW6bJ9Dx3MY-i3_CT9lSVxrupR4qQ8PZ_i4RqbBv0C5JtyMlY0JwvK_rG9M0mmG8ZLUcESOMsSjtgwBTTip0TcaVrpbfI5AFYpDEExePcPgD7auoL-WCs\/s16000\/Tsundere%20Botnet%20Abusing%20Popular%20Node.js%20and%20Cryptocurrency%20Packages%20to%20Attack%20Windows,%20Linux,%20and%20macOS%20Users.webp","type":"image\/jpeg"}],"author":"Tushar Subhra Dutta","twitter_card":"summary_large_image","twitter_image":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgNxxSqz748StSgRl61aXu3Ug_1PQUI3wYspiidrpWdPlJXi6NEbAt-Pth_OhDnw6oA7d_oK-CW6bJ9Dx3MY-i3_CT9lSVxrupR4qQ8PZ_i4RqbBv0C5JtyMlY0JwvK_rG9M0mmG8ZLUcESOMsSjtgwBTTip0TcaVrpbfI5AFYpDEExePcPgD7auoL-WCs\/s16000\/Tsundere%20Botnet%20Abusing%20Popular%20Node.js%20and%20Cryptocurrency%20Packages%20to%20Attack%20Windows,%20Linux,%20and%20macOS%20Users.webp","twitter_creator":"@The_Cyber_News","twitter_site":"@The_Cyber_News","twitter_misc":{"Written by":"Tushar Subhra Dutta","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"NewsArticle","@id":"https:\/\/cybersecuritynews.com\/tsundere-botnet-abusing-popular-node-js-and-cryptocurrency-packages\/#article","isPartOf":{"@id":"https:\/\/cybersecuritynews.com\/tsundere-botnet-abusing-popular-node-js-and-cryptocurrency-packages\/"},"author":{"name":"Tushar Subhra Dutta","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/person\/7eb7d8d026aa5dd566f134d4def5c05c"},"headline":"Tsundere Botnet Abusing Popular Node.js and Cryptocurrency Packages to Attack Windows, Linux, and macOS Users","datePublished":"2025-11-20T14:29:05+00:00","dateModified":"2025-11-20T14:29:09+00:00","mainEntityOfPage":{"@id":"https:\/\/cybersecuritynews.com\/tsundere-botnet-abusing-popular-node-js-and-cryptocurrency-packages\/"},"wordCount":556,"publisher":{"@id":"https:\/\/cybersecuritynews.com\/#organization"},"image":{"@id":"https:\/\/cybersecuritynews.com\/tsundere-botnet-abusing-popular-node-js-and-cryptocurrency-packages\/#primaryimage"},"thumbnailUrl":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgNxxSqz748StSgRl61aXu3Ug_1PQUI3wYspiidrpWdPlJXi6NEbAt-Pth_OhDnw6oA7d_oK-CW6bJ9Dx3MY-i3_CT9lSVxrupR4qQ8PZ_i4RqbBv0C5JtyMlY0JwvK_rG9M0mmG8ZLUcESOMsSjtgwBTTip0TcaVrpbfI5AFYpDEExePcPgD7auoL-WCs\/s16000\/Tsundere%20Botnet%20Abusing%20Popular%20Node.js%20and%20Cryptocurrency%20Packages%20to%20Attack%20Windows,%20Linux,%20and%20macOS%20Users.webp?w=1600&resize=1600,900&ssl=1","keywords":["cyber security","cyber security news"],"articleSection":["Cyber Security News","Threats"],"inLanguage":"en-US","copyrightYear":"2025","copyrightHolder":{"@id":"https:\/\/cybersecuritynews.com\/#organization"}},{"@type":"WebPage","@id":"https:\/\/cybersecuritynews.com\/tsundere-botnet-abusing-popular-node-js-and-cryptocurrency-packages\/","url":"https:\/\/cybersecuritynews.com\/tsundere-botnet-abusing-popular-node-js-and-cryptocurrency-packages\/","name":"Tsundere Botnet Abusing Popular Node.js and Cryptocurrency Packages to Attack Windows, Linux, and macOS Users","isPartOf":{"@id":"https:\/\/cybersecuritynews.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cybersecuritynews.com\/tsundere-botnet-abusing-popular-node-js-and-cryptocurrency-packages\/#primaryimage"},"image":{"@id":"https:\/\/cybersecuritynews.com\/tsundere-botnet-abusing-popular-node-js-and-cryptocurrency-packages\/#primaryimage"},"thumbnailUrl":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgNxxSqz748StSgRl61aXu3Ug_1PQUI3wYspiidrpWdPlJXi6NEbAt-Pth_OhDnw6oA7d_oK-CW6bJ9Dx3MY-i3_CT9lSVxrupR4qQ8PZ_i4RqbBv0C5JtyMlY0JwvK_rG9M0mmG8ZLUcESOMsSjtgwBTTip0TcaVrpbfI5AFYpDEExePcPgD7auoL-WCs\/s16000\/Tsundere%20Botnet%20Abusing%20Popular%20Node.js%20and%20Cryptocurrency%20Packages%20to%20Attack%20Windows,%20Linux,%20and%20macOS%20Users.webp?w=1600&resize=1600,900&ssl=1","datePublished":"2025-11-20T14:29:05+00:00","dateModified":"2025-11-20T14:29:09+00:00","description":"Tsundere botnet uses malicious npm packages, RMM tools, and fake game installers to spread malware across systems via typosquatted libraries.","breadcrumb":{"@id":"https:\/\/cybersecuritynews.com\/tsundere-botnet-abusing-popular-node-js-and-cryptocurrency-packages\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cybersecuritynews.com\/tsundere-botnet-abusing-popular-node-js-and-cryptocurrency-packages\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cybersecuritynews.com\/tsundere-botnet-abusing-popular-node-js-and-cryptocurrency-packages\/#primaryimage","url":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgNxxSqz748StSgRl61aXu3Ug_1PQUI3wYspiidrpWdPlJXi6NEbAt-Pth_OhDnw6oA7d_oK-CW6bJ9Dx3MY-i3_CT9lSVxrupR4qQ8PZ_i4RqbBv0C5JtyMlY0JwvK_rG9M0mmG8ZLUcESOMsSjtgwBTTip0TcaVrpbfI5AFYpDEExePcPgD7auoL-WCs\/s16000\/Tsundere%20Botnet%20Abusing%20Popular%20Node.js%20and%20Cryptocurrency%20Packages%20to%20Attack%20Windows,%20Linux,%20and%20macOS%20Users.webp?w=1600&resize=1600,900&ssl=1","contentUrl":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgNxxSqz748StSgRl61aXu3Ug_1PQUI3wYspiidrpWdPlJXi6NEbAt-Pth_OhDnw6oA7d_oK-CW6bJ9Dx3MY-i3_CT9lSVxrupR4qQ8PZ_i4RqbBv0C5JtyMlY0JwvK_rG9M0mmG8ZLUcESOMsSjtgwBTTip0TcaVrpbfI5AFYpDEExePcPgD7auoL-WCs\/s16000\/Tsundere%20Botnet%20Abusing%20Popular%20Node.js%20and%20Cryptocurrency%20Packages%20to%20Attack%20Windows,%20Linux,%20and%20macOS%20Users.webp?w=1600&resize=1600,900&ssl=1","width":"1600","height":"900"},{"@type":"BreadcrumbList","@id":"https:\/\/cybersecuritynews.com\/tsundere-botnet-abusing-popular-node-js-and-cryptocurrency-packages\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/cybersecuritynews.com\/"},{"@type":"ListItem","position":2,"name":"Tsundere Botnet Abusing Popular Node.js and Cryptocurrency Packages to Attack Windows, Linux, and macOS Users"}]},{"@type":"WebSite","@id":"https:\/\/cybersecuritynews.com\/#website","url":"https:\/\/cybersecuritynews.com\/","name":"Cyber Security News","description":"World&#039;s #1 Premier Cybersecurity and Hacking News Portal","publisher":{"@id":"https:\/\/cybersecuritynews.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cybersecuritynews.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/cybersecuritynews.com\/#organization","name":"Cyber Security News","url":"https:\/\/cybersecuritynews.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/logo\/image\/","url":"https:\/\/cybersecuritynews.com\/wp-content\/uploads\/2021\/06\/Cyber-security.jpg","contentUrl":"https:\/\/cybersecuritynews.com\/wp-content\/uploads\/2021\/06\/Cyber-security.jpg","width":200,"height":200,"caption":"Cyber Security News"},"image":{"@id":"https:\/\/cybersecuritynews.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Hackingtutorialsandnews","https:\/\/x.com\/The_Cyber_News","https:\/\/www.linkedin.com\/company\/cybersecurity-news\/"]},{"@type":"Person","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/person\/7eb7d8d026aa5dd566f134d4def5c05c","name":"Tushar Subhra Dutta","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cybersecuritynews.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/f8bc0247220c7d4dea6c8b5a77d910613305ead17b13c2a7920b400435a848dd?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f8bc0247220c7d4dea6c8b5a77d910613305ead17b13c2a7920b400435a848dd?s=96&d=mm&r=g","caption":"Tushar Subhra Dutta"},"description":"Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.","url":"https:\/\/cybersecuritynews.com\/author\/tushar\/"}]}},"jetpack_featured_media_url":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgNxxSqz748StSgRl61aXu3Ug_1PQUI3wYspiidrpWdPlJXi6NEbAt-Pth_OhDnw6oA7d_oK-CW6bJ9Dx3MY-i3_CT9lSVxrupR4qQ8PZ_i4RqbBv0C5JtyMlY0JwvK_rG9M0mmG8ZLUcESOMsSjtgwBTTip0TcaVrpbfI5AFYpDEExePcPgD7auoL-WCs\/s16000\/Tsundere%20Botnet%20Abusing%20Popular%20Node.js%20and%20Cryptocurrency%20Packages%20to%20Attack%20Windows,%20Linux,%20and%20macOS%20Users.webp?w=1600&resize=1600,900&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts\/133911","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/comments?post=133911"}],"version-history":[{"count":1,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts\/133911\/revisions"}],"predecessor-version":[{"id":133941,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/posts\/133911\/revisions\/133941"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/media\/133942"}],"wp:attachment":[{"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/media?parent=133911"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/categories?post=133911"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecuritynews.com\/wp-json\/wp\/v2\/tags?post=133911"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}