npm · Malicious package advisory
Malwaregifuct
MAL-2026-10451
Malicious code in gifuct (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (965f65127a6b6d2a6865e91efe6a878ae1e076b9ef4de23152aef4ee6080038b) Package name typosquats the legitimate `gifuct-js` GIF parser and re-exports it as cover. On module load, code reconstructs the host `filament-zap.vercel.app` and paths `/service/assets/fetchBinary` / `/service/assets/fetchLinuxBinary` from String.fromCharCode numeric arrays, downloads a platform-specific executable, writes it to a `WinMetrics`/`WinService.exe` path under the user data directory, chmods it 0755 on Linux, and spawns it detached with stdio ignored and unref'd. The payload is fetched over an obfuscated, unpinned URL with no hash or signature verification, and the download-and-execute path is unrelated to the advertised GIF-parsing purpose.
Compromised versions (1)
- 2.1.2
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.