The malicious @merceas/cross-fetch package (version 3.1.12) masquerades as the legitimate cross-fetch npm package by reusing its README, homepage, and author metadata. Its main module includes decoy code plus obfuscated Immediately Invoked Function Expressions (IIFEs) that dynamically import Node.js core modules to decrypt a URL, fetch a payload via HTTPS with retry and redirect handling, write the payload to a temporary directory, set executable permissions, and execute it via bash. It also spawns a detached child process for persistence. The obfuscation techniques include string-array numeric shifts, RC4-keyed base64 lookups, and anti-tamper debugger self-tests to evade static analysis. Importing this package results in execution of attacker-controlled code on the host.

This malicious package enables remote code execution on any system that imports it, potentially compromising build environments, continuous integration pipelines, production systems, or developer machines. The attacker-controlled payload can execute arbitrary commands with the privileges of the importing process, leading to full system compromise, persistence, and further malicious activity. There are no known exploits in the wild reported at this time.

No official patch or remediation is currently available for this malicious package. Users and organizations should immediately remove the @merceas/cross-fetch package version 3.1.12 from their projects and dependency trees. Verify that no transitive dependencies are pulling in this package. Use trusted sources and verify package authenticity before installation. Monitor for any unusual activity on affected systems and consider rebuilding environments after removal. Patch status is not yet confirmed — check the vendor advisory or trusted security sources for updates.