mut_4831

Also known asMUT-4831

MUT-4831 is the name used by Datadog Security Labs to track a malicious npm supply-chain activity cluster that distributed Vidar Stealer via 17 npm packages in October 2025. The packages masqueraded as benign SDKs and were published by the npm accounts "aartje" and "saliii229911," which were later banned. Some of the packages were first flagged on October 21, 2025, with additional uploads on October 22 and October 26, and they were downloaded at least 2,240 times before removal. The attack chain used a postinstall script in package.json, and in some variants a post-install PowerShell script, to download a ZIP archive from bullethost[.]cloud and execute Vidar on victim systems. The Vidar 2.0 samples used hard-coded Telegram and Steam accounts as dead drop resolvers for command-and-control. Based on the provided content, MUT-4831 is associated with software supply-chain compromise targeting open-source ecosystems through npm package publication and malware delivery.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

the hacker newsNews

Nov 7, 2025

Vibe-Coded Malicious VS Code Extension Found with Built-In Ransomware Capabilities

MUT-4831 is responsible for distributing Vidar Stealer via trojanized npm packages masquerading as benign SDKs, marking the first time Vidar has been distributed through the npm registry. The packages execute postinstall scripts to download and run Vidar, targeting the software supply chain.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.