T1555.003

Credentials from Password Stores: Web Browsers

discovered 2026-05-28

Steals credentials from Chrome, Brave, Edge, Vivaldi, Opera, Opera GX, Yandex (DPAPI via koffi FFI into Crypt32.dll) and Firefox (NSS library loader). Extracts saved passwords, cookies, and autofill data.

View on MITRE ATT&CK

Seen in packages

npm js-logger-packuses
npm faster-axiosuses

Campaigns

Contagious Interviewattributed-to
Epsilon Axios Typosquat Campaignattributed-to