The velocityfix package on npm, falsely claiming to be from the Velocity Team for Minecraft Velocity proxy performance fixes, contains malicious code. Its package.json defines a postinstall script that silently runs a bundled Windows executable (payload.exe) on every npm install. This executable collects system details such as hostname, OS information, IP address, and registry values, then exfiltrates this data along with a zip of collected files to a hardcoded C2 server at https://751.lol/upload/. The payload identifies itself as [INJECTOR] and employs sandbox and VM detection techniques by probing for artifacts like SbieDll.dll, snxhk.dll, Vboxguest.sys, vmGuestLib.dll, and VMware/VirtualBox indicators to evade analysis and only fully execute on real Windows hosts. This combination of supply-chain compromise, brand impersonation, and stealthy data exfiltration makes it a significant Windows-targeted threat. The affected versions are 1.0.0 through 1.0.4 inclusive.

The malicious velocityfix package compromises Windows hosts by executing a native payload during npm installation that exfiltrates sensitive system information and collected files to an attacker-controlled server. It can lead to unauthorized data disclosure and potential further compromise due to the stealthy nature of the payload and its evasion techniques. The threat is specific to Windows environments where the package is installed.

No official patch or remediation is currently documented for this malicious package. Users should avoid installing the velocityfix npm package, especially versions =1.0.0, =1.0.1, =1.0.2, =1.0.3, and =1.0.4. Remove any installations of this package and investigate affected systems for signs of compromise. Since this is a supply-chain malicious package, rely on trusted sources and verify package authenticity before installation. Monitor vendor advisories or npm security notices for updates or takedown information.