Threats Tagged 'mal-2026-10743'
View all threats tagged with 'mal-2026-10743'. Filter and sort to focus on specific types of threats.
Stop chasing alerts. Route them.
Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.
Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)
API access activates after upgrading in Console -> Billing.
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.
Filter Threats
Narrow down the results by type, severity, or affected countries
Threats Tagged 'mal-2026-10743'
Click on any threat for detailed analysis and mitigation recommendations
MAL-2026-10743: Malicious code in nordpass (npm) 0 --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (9df6f21fababcd99ba522d380a0729d35aa4ff44ee2f6612fe75b906da844aee) Package name impersonates the NordPass password-manager product while presenting itself as 'A simple authentication module.' The package.json postinstall runs `make -C src && cp src/auth_module./bin/flare && node src/install.js`. src/install.js is a ~100 KB heavily obfuscated file (obfuscator.io-style string-array decoder with rotation, unicode-escaped identifiers, XOR-numeric literals) that reads /etc/passwd, derives XOR key material from that content combined with hardcoded byte constants, base64-decodes an embedded payload, XOR-decrypts it, and passes the resulting string to eval(). The decode-and-exec path is guarded by anti-analysis checks: a NODE_OPTIONS `--inspect` check, a Date.now() timing gate, and an `OG_`-prefixed environment-variable kill switch. A compiled `auth_module` binary is also staged to `./bin/flare` during postinstall. The combination — brand impersonation, obfuscation, host-file read used as key material, base64+XOR+eval of an embedded blob, anti-debug and kill-switch guards, and a staged native binary — executes attacker-controlled code on the installer's machine at `npm install` time. ## Source: ossf-package-analysis (9924ec9036b6c4caf7436a5e7ba79ed4e1b31fb1732c884d164c340a6982886d) The OpenSSF Package Analysis project identified 'nordpass' @ 1.0.2 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. Join the discussion | GCVE Database | 07/16/2026, 06:35:57 UTC Added: 07/17/2026, 10:14:56 UTC |
Showing 1 to 1 of 1 result