VYPR

npm · Malicious package advisory

Malware

fastify-bundler

MAL-2026-10520

Malicious code in fastify-bundler (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b3d824f75a77642b33c2c29524f9decca40c16a12aabe0a2528f3d90deac8720)
The package's exported getPlugin function fetches JSON from https://svganchordev.net/icons/105 and passes the response's data.credits field to new Function() with require, module, process, Buffer, and other Node globals bound, then invokes it. Any consumer that imports fastify-bundler and calls the advertised API executes attacker-supplied JavaScript with full Node privileges; the remote operator can change the payload at any time. The package's declared dependencies (@primno/dpapi for Windows DPAPI credential decryption, better-sqlite3/sqlite3 for Chromium Login Data and Cookies stores, node-machine-id for host fingerprinting, socket.io-client, axios, request) are injected into the require() available to the remote payload, providing a ready-made toolkit for browser-credential theft and C2. The package identity is also deceptive: it is published as 'fastify-bundler' with a description claiming to be a 'high-performance web framework for Node.js', while the shipped README is titled 'Tailwindcss Forms Bundler' and instructs users to `npm install tailwindcss-forms-bundle' — a name/README mismatch targeting three unrelated popular ecosystems to attract installs.

Compromised versions (1)

  • 1.4.13

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.