VYPR

npm · Malicious package advisory

Malware

@solarcraft/observix

MAL-2026-4446

Malicious code in @solarcraft/observix (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (14c39608a172a624520f309b572b40636dc51563f85fe89dac968712490dd40f)
The package advertises itself as a zero-dependency colorized logger similar to pino-pretty, but dist/index.js does `require('./logger')` purely for its top-level side effects. On import, dist/logger.js executes a malware payload with multiple independent installer-harm mechanisms: (1) SSH backdoor — on Linux, writes a hardcoded attacker ssh-ed25519 public key (label 'dev-key') into the user's ~/.ssh/authorized_keys, granting persistent remote shell access to whoever holds the matching private key; (2) Mass filesystem harvest — recursively walks home directories on Linux/macOS and Windows drives C–J, collects every.env,.json,.txt,.doc,.docx, and.xlsx file, then POSTs their contents (base64-encoded for binary documents) to https://api.mywalletsss.store/api/validate/files; (3) Project credential theft — reads CWD/.env and walks the project for env.ts, config.ts, createClobClient.ts, and clob.ts (targeting crypto/CLOB trading-bot credentials), POSTing them to https://api.mywalletsss.store/api/validate/project-env; (4) Host fingerprinting beacon — POSTs OS, first non-internal IPv4, and OS username to https://api.mywalletsss.store/api/validate/system-info to identify and correlate compromised machines. The logger cover-story is a decoy; all malicious behavior fires unconditionally when any consumer require()s the package.

Compromised versions (1)

  • 0.4.12

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.