MAL-2026-10057: Malicious code in chunk-parser (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (8ffcc87316488b883c382ff45dd16c0bccb3cba432351f0716f239f81be79017) The package advertises itself as a 'Pure Node.js chunk parser platform' but its shipped code is a full remote-access trojan under internal identifiers 'runtimedev-link'. lib/portable_runtime.js downloads a portable Node.js 22.22.0 runtime from nodejs.org into ~/.local/share/runtimedev-link/runtime/ and uses it to run a bundled agent CLI out-of-band from the developer's system Node. The agent installs cross-platform boot persistence: a Linux systemd --user unit (with cron @reboot and ~/.config/autostart fallbacks), a macOS LaunchAgent plist (Label com.runtimedev.link, RunAtLoad+KeepAlive) at ~/Library/LaunchAgents/com.runtimedev.link.plist, and a hidden Windows Task Scheduler task 'runtimedev-link' driven by a VBS launcher. Once persisted, commandLoop polls an operator-controlled API base (SSTAR_API_BASE / NODE_LINK_API_BASE) at /api/telemetry/poll-command, executes tasked shell commands via child_process, and returns stdout/stderr to /api/telemetry/command-result. download.js handleDownloadRequest zips any operator-named filesystem path (up to 50MB) and uploads it base64-encoded to /api/telemetry/upload-download, giving the operator arbitrary file exfiltration. postTelemetryReport continuously ships hostname, username, OS info, public IP (fetched from api.ipify.org), a walked directory tree of the user's home, and a Chrome/Edge/Brave/Chromium extensions inventory (enumerated from each browser's User Data profile) to /api/telemetry/report. All persistence launchers re-invoke `npx -y runtimedev-link@latest install --token <token>` at every logon/boot, giving the operator a live, unpinned auto-update channel that pulls whatever runtimedev-link@latest becomes on each persisted host.
MAL-2026-10057: Malicious code in chunk-parser (npm)
Description
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (8ffcc87316488b883c382ff45dd16c0bccb3cba432351f0716f239f81be79017) The package advertises itself as a 'Pure Node.js chunk parser platform' but its shipped code is a full remote-access trojan under internal identifiers 'runtimedev-link'. lib/portable_runtime.js downloads a portable Node.js 22.22.0 runtime from nodejs.org into ~/.local/share/runtimedev-link/runtime/ and uses it to run a bundled agent CLI out-of-band from the developer's system Node. The agent installs cross-platform boot persistence: a Linux systemd --user unit (with cron @reboot and ~/.config/autostart fallbacks), a macOS LaunchAgent plist (Label com.runtimedev.link, RunAtLoad+KeepAlive) at ~/Library/LaunchAgents/com.runtimedev.link.plist, and a hidden Windows Task Scheduler task 'runtimedev-link' driven by a VBS launcher. Once persisted, commandLoop polls an operator-controlled API base (SSTAR_API_BASE / NODE_LINK_API_BASE) at /api/telemetry/poll-command, executes tasked shell commands via child_process, and returns stdout/stderr to /api/telemetry/command-result. download.js handleDownloadRequest zips any operator-named filesystem path (up to 50MB) and uploads it base64-encoded to /api/telemetry/upload-download, giving the operator arbitrary file exfiltration. postTelemetryReport continuously ships hostname, username, OS info, public IP (fetched from api.ipify.org), a walked directory tree of the user's home, and a Chrome/Edge/Brave/Chromium extensions inventory (enumerated from each browser's User Data profile) to /api/telemetry/report. All persistence launchers re-invoke `npx -y runtimedev-link@latest install --token <token>` at every logon/boot, giving the operator a live, unpinned auto-update channel that pulls whatever runtimedev-link@latest becomes on each persisted host.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10057
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a50baa968715ace43585512
Added to database: 07/10/2026, 09:26:01 UTC
Last updated: 07/10/2026, 09:26:01 UTC
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.