VYPR

npm · Malicious package advisory

Malware

fetchcraft

MAL-2026-10435

Malicious code in fetchcraft (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c1a40f1af8ba957a18b37ddba0dbe5634112f489841b22208eff421f9a09f786)
package.json declares the runtime dependency `node-runtime-utils` as `https://github.com/Hexa-devy/node-runtime-utils/archive/refs/heads/main.tar.gz` — a tarball fetched from the mutable `main` branch of a personal GitHub user's repository, with no commit SHA, tag, or integrity hash pinning. On `npm install fetchcraft`, npm downloads and installs whatever bytes that URL serves at install time, including any lifecycle scripts (preinstall/install/postinstall/prepare) shipped in the fetched tarball. Because the source is a mutable branch under a personal account rather than a registry-published package or a pinned commit, the contents can be swapped at any time without any change to fetchcraft itself, allowing arbitrary code to be executed on the installer's machine. The dependency is not referenced by the package's exported code, giving it no legitimate functional purpose.

Compromised versions (2)

  • 1.0.1
  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.