npm · Malicious package advisory
Malware@kruzer/lib-ui
MAL-2026-4401
Malicious code in @kruzer/lib-ui (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (c1bb1f66615de2b0b161721218d2bff4bb0e7100b5cb28b764fcc2e6f1ee671f) The published tarball's package.json contains a hardcoded npm registry auth token embedded in the `build:publish` script: `npm publish --tag alpha --//registry.npmjs.org/:_authToken=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`. The token is delivered to every installer of this package and grants publish privileges to the author's @kruzer/* npm scope. Anyone who installs or inspects this package can use the token to publish arbitrary (potentially malicious) versions of any package under @kruzer, which would then be pulled into all downstream installers of those packages. This is credential distribution to a third-party system (npm registry), not merely author self-harm — the blast radius extends to every downstream consumer of the @kruzer scope.
Compromised versions (2)
- 0.0.0-alpha.497
- 0.0.0-alpha.491
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.