Microsoft on Tuesday issued a warning over the increasing use of Node.js for the delivery of malware and other malicious payloads.
The tech giant has been seeing such attacks aimed at its customers since October 2024 and some of the observed campaigns are still active in April 2025.
The open source cross-platform runtime environment Node.js is popular among developers, allowing them to execute JavaScript code outside of web browsers. However, this also makes it tempting for threat actors, who can leverage it to disguise their malware and bypass security mechanisms.
In one campaign seen by Microsoft, cybercriminals used cryptocurrency-related malvertising to trick users into downloading a malicious installer disguised as a legitimate file from crypto platforms such as TradingView or Binance.
The installer contains a malicious DLL that is loaded to gather basic system information. A PowerShell script then downloads the Node.js binary and a JavaScript file that is executed by Node.js. The routine executed by the JavaScript file includes loading multiple modules, adding certificates to the device, and stealing sensitive browser information.
