VYPR

npm · Malicious package advisory

Malware

@torbeck/priority-queue

MAL-2026-10472

Malicious code in @torbeck/priority-queue (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b3109ebd719fa91812bd69e50b418b78f2a04c5478924f6ff53054cb798dc937)
The package republishes @datastructures-js/priority-queue verbatim — identical README pointing to datastructures-js.info, the original author 'Eyas Ranjous', and the upstream repository URL git+https://github.com/datastructures-js/priority-queue.git — under an unrelated @torbeck scope. Its package.json (L33-34) declares "dependencies": { "@datastructures-js/heap": "npm:@torbeck/heap@4.3.8" }, using npm alias syntax to silently substitute the legitimate @datastructures-js/heap with a sibling package @torbeck/heap@4.3.8 published by the same untrusted maintainer. src/priorityQueue.js does require('@datastructures-js/heap'), so on every import the substituted @torbeck/heap is loaded in place of the upstream package. The installer-facing harm is the namespace-abuse mechanism itself: any consumer who installs @torbeck/priority-queue automatically pulls @torbeck/heap under a name that reads as the legitimate datastructures-js dependency, regardless of what the @torbeck/heap tarball currently contains. The actual payload, if any, lives in @torbeck/heap and must be analyzed in its own record.

Compromised versions (3)

  • 6.3.9
  • 6.3.7
  • 6.3.6

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.