MAL-2026-6570: Malicious code in pkg-fallback (npm)
The npm package 'pkg-fallback' version 1.1.0 is a malicious supply-chain dropper disguised as a small string-manipulation library. During installation, it fetches and installs arbitrary tarballs over unencrypted HTTP from an unrelated IP address, bypassing publisher infrastructure and lacking integrity verification. This behavior is inconsistent with its advertised functionality and indicates deliberate evasion tactics.
AI Analysis
Technical Summary
The 'pkg-fallback' npm package (version 1.1.0) advertises itself as a string utility library but acts as a supply-chain dropper. Its package.json declares a dependency on 'native-bridge' sourced from an untrusted HTTP URL pointing to a bare IP address, which is unrelated to the publisher. Upon 'npm install', it downloads and installs this arbitrary tarball into the node_modules directory and executes lifecycle scripts. Additionally, a postinstall script downloads a second tarball over HTTP, saving it locally while suppressing errors. Neither download is pinned or hash-verified, and the contents do not justify the declared native dependency. This install-time behavior is a deliberate evasion technique to deliver malicious code through the supply chain.
Potential Impact
The malicious package can execute arbitrary code during installation by downloading and running unverified payloads from an attacker-controlled server. This compromises the security of any environment that installs version 1.1.0 of 'pkg-fallback', potentially leading to unauthorized code execution and further compromise of dependent systems.
Mitigation Recommendations
No official patch or remediation is currently documented for this package version. Users should avoid installing 'pkg-fallback' version 1.1.0. Verify package sources carefully and prefer packages with verified dependencies and secure download mechanisms. Monitor vendor advisories for updates or removal of the malicious package from npm registries.
MAL-2026-6570: Malicious code in pkg-fallback (npm)
Description
The npm package 'pkg-fallback' version 1.1.0 is a malicious supply-chain dropper disguised as a small string-manipulation library. During installation, it fetches and installs arbitrary tarballs over unencrypted HTTP from an unrelated IP address, bypassing publisher infrastructure and lacking integrity verification. This behavior is inconsistent with its advertised functionality and indicates deliberate evasion tactics.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 'pkg-fallback' npm package (version 1.1.0) advertises itself as a string utility library but acts as a supply-chain dropper. Its package.json declares a dependency on 'native-bridge' sourced from an untrusted HTTP URL pointing to a bare IP address, which is unrelated to the publisher. Upon 'npm install', it downloads and installs this arbitrary tarball into the node_modules directory and executes lifecycle scripts. Additionally, a postinstall script downloads a second tarball over HTTP, saving it locally while suppressing errors. Neither download is pinned or hash-verified, and the contents do not justify the declared native dependency. This install-time behavior is a deliberate evasion technique to deliver malicious code through the supply chain.
Potential Impact
The malicious package can execute arbitrary code during installation by downloading and running unverified payloads from an attacker-controlled server. This compromises the security of any environment that installs version 1.1.0 of 'pkg-fallback', potentially leading to unauthorized code execution and further compromise of dependent systems.
Mitigation Recommendations
No official patch or remediation is currently documented for this package version. Users should avoid installing 'pkg-fallback' version 1.1.0. Verify package sources carefully and prefer packages with verified dependencies and secure download mechanisms. Monitor vendor advisories for updates or removal of the malicious package from npm registries.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6570
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a42ed7827e9c797199395e8
Added to database: 06/29/2026, 22:11:04 UTC
Last enriched: 06/29/2026, 22:42:16 UTC
Last updated: 06/30/2026, 00:40:26 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.