MAL-2026-6496: Malicious code in @dervix/ws (npm)
The npm package @dervix/ws is a malicious typosquatting package impersonating the legitimate ws WebSocket library. It contains heavily obfuscated code that executes upon import, spawning a detached child process that downloads, decrypts, and executes attacker-controlled binary code. The package metadata mimics the legitimate ws project to deceive users. There is no signature verification or version pinning, and the malicious payload is designed to evade static analysis and debugger detection.
AI Analysis
Technical Summary
The @dervix/ws npm package is a deliberate typosquatting malicious package that clones the metadata of the legitimate ws WebSocket library to deceive users. Upon requiring the package, it executes obfuscated code that respawns the Node.js process in a detached manner, constructs an AES-256 key from hardcoded buffers, and downloads an encrypted payload from an obfuscated URL. This payload is decrypted and executed with elevated permissions. The use of dynamic imports and runtime checks prevents static detection and debugger analysis. This results in arbitrary attacker-controlled binary code execution on any system that installs and imports the package.
Potential Impact
Any system that installs and imports the affected versions of @dervix/ws (=8.21.3 and =8.21.4) is at risk of executing arbitrary malicious code controlled by an attacker. This can lead to full system compromise, persistence via daemonized processes, and potential further payload delivery. The malicious code runs automatically on import, increasing the risk of widespread compromise if the package is used in development or production environments.
Mitigation Recommendations
No official patch or fix is currently available for this malicious package. The best mitigation is to avoid installing or using the @dervix/ws package entirely. Users should verify package names carefully to avoid typosquatting attacks and prefer the legitimate ws package from the official npm registry. Monitoring for and removing any instances of @dervix/ws in projects is recommended. Since this is a malicious package, remediation involves removal and replacement with the legitimate library rather than patching.
MAL-2026-6496: Malicious code in @dervix/ws (npm)
Description
The npm package @dervix/ws is a malicious typosquatting package impersonating the legitimate ws WebSocket library. It contains heavily obfuscated code that executes upon import, spawning a detached child process that downloads, decrypts, and executes attacker-controlled binary code. The package metadata mimics the legitimate ws project to deceive users. There is no signature verification or version pinning, and the malicious payload is designed to evade static analysis and debugger detection.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The @dervix/ws npm package is a deliberate typosquatting malicious package that clones the metadata of the legitimate ws WebSocket library to deceive users. Upon requiring the package, it executes obfuscated code that respawns the Node.js process in a detached manner, constructs an AES-256 key from hardcoded buffers, and downloads an encrypted payload from an obfuscated URL. This payload is decrypted and executed with elevated permissions. The use of dynamic imports and runtime checks prevents static detection and debugger analysis. This results in arbitrary attacker-controlled binary code execution on any system that installs and imports the package.
Potential Impact
Any system that installs and imports the affected versions of @dervix/ws (=8.21.3 and =8.21.4) is at risk of executing arbitrary malicious code controlled by an attacker. This can lead to full system compromise, persistence via daemonized processes, and potential further payload delivery. The malicious code runs automatically on import, increasing the risk of widespread compromise if the package is used in development or production environments.
Mitigation Recommendations
No official patch or fix is currently available for this malicious package. The best mitigation is to avoid installing or using the @dervix/ws package entirely. Users should verify package names carefully to avoid typosquatting attacks and prefer the legitimate ws package from the official npm registry. Monitoring for and removing any instances of @dervix/ws in projects is recommended. Since this is a malicious package, remediation involves removal and replacement with the legitimate library rather than patching.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6496
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a3ef7c927e9c79719000244
Added to database: 06/26/2026, 22:06:01 UTC
Last enriched: 06/26/2026, 22:36:06 UTC
Last updated: 06/27/2026, 04:32:58 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.