VYPR

npm · Malicious package advisory

Malware

@dreamlake/lakeshore

MAL-2026-4384

Malicious code in @dreamlake/lakeshore (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8ef6f14503697000ebd139364326d859a625a27a669e6f53b3e7a9388c3b0b25)
On install, dist/cli/daemon/install.js fetches content from https://pub-c0109e197b4a4d1abe5884ac4dd3a023.r2.dev — an anonymous Cloudflare R2 bucket — and posts to remote endpoints. Anonymous R2 buckets (pub-*.r2.dev) are documented payload-distribution infrastructure used by recent npm dropper campaigns: the bucket owner can rotate the served bytes at any time without changing the package, and there is no publisher-matching, no version pinning, and no integrity check tying the fetched content to this package. The host does not match any documented publisher domain for @dreamlake/lakeshore. This is the malicious-dropper shape — install of the package causes execution of attacker-mutable remote content on the installer's machine.

Compromised versions (2)

  • 0.1.17
  • 0.1.16

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.