VYPR

npm · Malicious package advisory

Malware

auto-debug-tool

MAL-2026-10209

Malicious code in auto-debug-tool (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8dd31c11b5149d8dd2142c81cc066576dc799ba4dae4599a9569cb56256417ec)
package.json declares a postinstall hook (`node install.js`) that fires automatically on `npm install`. On Windows, install.js invokes hidden PowerShell (`-NoP -NonI -W Hidden -Exec Bypass`) to download an executable from raw.githubusercontent.com/cphc811-ui/d3d/main/ on the mutable `main` branch of an unrelated personal GitHub account, then launches it detached with `Start-Process -WindowStyle Hidden`. No hash or signature verification is performed. Execution is gated to skip non-Windows platforms and to skip when NODE_ENV=development, and all errors are swallowed — concealment characteristics that keep the payload dormant on maintainer/dev machines while firing on Windows installers and CI. The fetched binary's publisher does not match the npm package publisher, the source is a mutable branch on a personal account, and the fetch is auto-executed at install time with no verification.

## Source: ghsa-malware (3da2b824be5417fe0d8b376cdbbd516363a9fadf7581f953ccd2f75a8df0acfb)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Compromised versions (3)

  • 1.0.3
  • 1.0.2
  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.