Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.

Threats Tagged 'mal-2026-10743'

View all threats tagged with 'mal-2026-10743'. Filter and sort to focus on specific types of threats.

Pro Console Lifetime

Stop chasing alerts. Route them.

Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.

Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)

View Plans & Pricing

API access activates after upgrading in Console -> Billing.

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now

Filter Threats

Narrow down the results by type, severity, or affected countries

Search threats by title, CVE ID, or description. Maximum 100 characters.
Active filters (1):Tag: mal-2026-10743

Threats Tagged 'mal-2026-10743'

Click on any threat for detailed analysis and mitigation recommendations

MAL-2026-10743: Malicious code in nordpass (npm)
0

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (9df6f21fababcd99ba522d380a0729d35aa4ff44ee2f6612fe75b906da844aee) Package name impersonates the NordPass password-manager product while presenting itself as 'A simple authentication module.' The package.json postinstall runs `make -C src && cp src/auth_module./bin/flare && node src/install.js`. src/install.js is a ~100 KB heavily obfuscated file (obfuscator.io-style string-array decoder with rotation, unicode-escaped identifiers, XOR-numeric literals) that reads /etc/passwd, derives XOR key material from that content combined with hardcoded byte constants, base64-decodes an embedded payload, XOR-decrypts it, and passes the resulting string to eval(). The decode-and-exec path is guarded by anti-analysis checks: a NODE_OPTIONS `--inspect` check, a Date.now() timing gate, and an `OG_`-prefixed environment-variable kill switch. A compiled `auth_module` binary is also staged to `./bin/flare` during postinstall. The combination — brand impersonation, obfuscation, host-file read used as key material, base64+XOR+eval of an embedded blob, anti-debug and kill-switch guards, and a staged native binary — executes attacker-controlled code on the installer's machine at `npm install` time. ## Source: ossf-package-analysis (9924ec9036b6c4caf7436a5e7ba79ed4e1b31fb1732c884d164c340a6982886d) The OpenSSF Package Analysis project identified 'nordpass' @ 1.0.2 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.

Join the discussion

Showing 1 to 1 of 1 result

Filters:Tag: mal-2026-10743
Page 1 of 1
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses