MAL-2026-10404: Malicious code in @ica-gaming/slot-engine (npm)
The npm package @ica-gaming/slot-engine version 1.1.0 contains malicious code embedded within a WebAssembly (WASM) slot-math engine. The package includes obfuscated Node.js modules that establish a remote-access and credential-theft toolkit. Upon execution, it communicates with a remote server to receive and run arbitrary code, enabling persistent arbitrary code execution. It also downloads and silently installs Windows and macOS payloads, enumerates browser profiles and wallet files for credential theft, and exfiltrates collected data. The malicious payload is disguised as normal engine initialization to evade detection.
AI Analysis
Technical Summary
The @ica-gaming/slot-engine npm package (version 1.1.0) masquerades as a deterministic WASM slot-math engine but embeds obfuscated Node.js modules and Emscripten JavaScript shims that implement a remote-access and credential-theft toolkit. On invocation, it opens a Node.js require context, sends an installer ID to a remote HTTPS endpoint on a jittered polling loop, and executes returned code dynamically, allowing arbitrary code execution on the host. Additional helpers download and silently install Windows and macOS payloads, create polyglot wrapper scripts, and enumerate browser profiles (Chrome, Firefox, and derivatives) and wallet/keystore files to steal credentials and sensitive data. The payload uses obfuscation techniques uncommon in legitimate Emscripten output and includes cover strings to disguise malicious activity as normal initialization.
Potential Impact
This malicious package enables an attacker to gain arbitrary code execution on the host system, persistently execute remote code, silently install additional malware payloads on Windows and macOS, and steal sensitive credentials and data from multiple browser profiles and cryptocurrency wallets. This can lead to full system compromise, data theft, and further malware deployment.
Mitigation Recommendations
No official patch or remediation is currently available for this malicious package. Users should immediately remove version 1.1.0 of @ica-gaming/slot-engine from their environments and avoid installing this package. Conduct a thorough investigation for potential compromise if this package was used, including scanning for additional malware and credential theft. Monitor for suspicious network activity related to the described remote code execution behavior. Check vendor advisories or trusted security sources for updates or remediation guidance.
MAL-2026-10404: Malicious code in @ica-gaming/slot-engine (npm)
Description
The npm package @ica-gaming/slot-engine version 1.1.0 contains malicious code embedded within a WebAssembly (WASM) slot-math engine. The package includes obfuscated Node.js modules that establish a remote-access and credential-theft toolkit. Upon execution, it communicates with a remote server to receive and run arbitrary code, enabling persistent arbitrary code execution. It also downloads and silently installs Windows and macOS payloads, enumerates browser profiles and wallet files for credential theft, and exfiltrates collected data. The malicious payload is disguised as normal engine initialization to evade detection.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The @ica-gaming/slot-engine npm package (version 1.1.0) masquerades as a deterministic WASM slot-math engine but embeds obfuscated Node.js modules and Emscripten JavaScript shims that implement a remote-access and credential-theft toolkit. On invocation, it opens a Node.js require context, sends an installer ID to a remote HTTPS endpoint on a jittered polling loop, and executes returned code dynamically, allowing arbitrary code execution on the host. Additional helpers download and silently install Windows and macOS payloads, create polyglot wrapper scripts, and enumerate browser profiles (Chrome, Firefox, and derivatives) and wallet/keystore files to steal credentials and sensitive data. The payload uses obfuscation techniques uncommon in legitimate Emscripten output and includes cover strings to disguise malicious activity as normal initialization.
Potential Impact
This malicious package enables an attacker to gain arbitrary code execution on the host system, persistently execute remote code, silently install additional malware payloads on Windows and macOS, and steal sensitive credentials and data from multiple browser profiles and cryptocurrency wallets. This can lead to full system compromise, data theft, and further malware deployment.
Mitigation Recommendations
No official patch or remediation is currently available for this malicious package. Users should immediately remove version 1.1.0 of @ica-gaming/slot-engine from their environments and avoid installing this package. Conduct a thorough investigation for potential compromise if this package was used, including scanning for additional malware and credential theft. Monitor for suspicious network activity related to the described remote code execution behavior. Check vendor advisories or trusted security sources for updates or remediation guidance.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10404
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a54ad9b68715ace438f3a3c
Added to database: 07/13/2026, 09:19:23 UTC
Last enriched: 07/13/2026, 09:26:00 UTC
Last updated: 07/13/2026, 09:26:00 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.