Threats Tagged 'malicious-package'

The npm package 'runtimekit' versions 1.0.1 and 1.0.5 contain malicious code that executes arbitrary JavaScript during module load. The package includes an obfuscated self-executing function that decodes hidden strings to dynamically construct and run code with full Node.js privileges. This behavior occurs when requiring 'runtimekit' or 'runtimekit/readonly', allowing the malicious payload to run in-process. The package falsely advertises itself as a validation/runtime utility but embeds a loader with no legitimate purpose for obfuscation. No official patch or remediation guidance is currently provided.

The starship-timeline npm package version 1.0.1 contains malicious code that executes automatically during installation. It collects sensitive host information including hostname, username, home directory, DNS servers, and contents of /etc/passwd and /etc/hosts. This data is exfiltrated via HTTPS to an attacker-controlled out-of-band endpoint. The package has no legitimate functionality and appears designed solely for data theft. There is no indication of a patch or fix available.

The npm package @salem_jalal/osc-components version 1981.17.7 contains malicious code that exfiltrates sensitive information. Its postinstall script sends host identifiers to a remote server over unencrypted HTTP. Additionally, when loaded in a browser context, it harvests cookies, localStorage data, the current URL, and user agent details, sending them with credentials to the same remote server. The package impersonates another namespace (@dx-ui) to facilitate dependency confusion attacks.

The npm package 'log-update-ts' version 0.1.0 is a malicious package impersonating the legitimate 'log-update' library. Instead of providing terminal output update functionality, it executes a multi-stage attack that collects system information, harvests sensitive files from user directories, targets specific project configuration files related to Polymarket CLOB API and crypto wallets, and uploads this data to an attacker-controlled server. Additionally, on Linux systems, it adds a hardcoded SSH public key to the user's authorized_keys file, enabling persistent unauthorized SSH access.

The gx-npm-ui package version 99.99.99 published on npm contains malicious code that executes during installation. Its postinstall script runs beacon.js, which collects sensitive environment information including hostname, OS username, current directory, package name, Node version, and environment variable names. This data is exfiltrated to an attacker-controlled domain via DNS lookups and HTTPS GET requests. Any system installing this package leaks identifying information to the attacker.

The gx-npm-lib package version 99.99.99 is a malicious npm package designed to perform a supply-chain attack via dependency confusion. Upon installation, its postinstall script executes beacon.js, which collects detailed environment metadata including package name, hostname, username, current working directory, environment variables, and Node.js version. This data is exfiltrated through DNS lookups and HTTPS requests to a hardcoded attacker-controlled domain. Although labeled as a 'security-research placeholder,' this does not imply user consent, and installation results in unauthorized data leakage. This threat represents an active supply-chain compromise vector.

The pyext6cc8cd package version 1.0.0 on PyPI contains malicious code in its setup.py that executes arbitrary commands during installation. Specifically, it decodes a hex string to run the macOS Calculator application via subprocess.Popen unconditionally before the package setup completes. This behavior demonstrates that the package runs untrusted code at install time, posing a risk of arbitrary command execution. The package metadata is placeholder and it contains no functional code, indicating it is a proof-of-concept or test artifact. The obfuscation technique used to hide the command is designed to evade detection by scanners. While the current payload is benign, it could be replaced with destructive or data-exfiltration commands.

The npm package '@vpms/design-system' versions 0.1.3, 1.0.0, 1.0.1, and 1.1.2 contains malicious code that exfiltrates sensitive environment variables and system information during installation. The package's preinstall script collects secrets such as tokens and credentials from environment variables, along with system metadata and running processes, and sends this data to a hardcoded external endpoint. Although the package claims to be a 'PenTest design system' canary, it does not provide any legitimate design system functionality and instead performs unauthorized credential harvesting.

The npm package 'gx-npm-feature-flags' version 99.99.99 is identified as a malicious dependency-confusion squat that executes code during installation to exfiltrate environment and system information. It collects data such as the installer's OS hostname, user info, current directory, package name, Node version, and environment variable names, then sends this information covertly to a hardcoded external domain using DNS lookups and HTTPS requests. This behavior occurs without user consent and is designed to evade detection by proxy logs and egress filtering.

The kelly-stake npm package versions 3.5.2 through 3.5.6 contain malicious code that executes arbitrary commands on the consumer's machine during installation. The postinstall script downloads and runs unverified remote code from an attacker-controlled domain, enabling remote code execution without user awareness. This behavior allows the attacker to rotate payloads dynamically without republishing the package. The installation process suppresses errors to avoid detection, ensuring the malicious code runs on every installation.