VYPR

npm · Malicious package advisory

Malware

@toni77777/aora

MAL-2026-4458

Malicious code in @toni77777/aora (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8566221a9ab9a1cb01b0f23e2af4b140d2e97310701b8c9a8f4bed1481fb22b2)
On `npm install`, scripts/postinstall.js fetches a platform-specific executable from `https://github.com/yourusername/aora/releases/download/v0.1.0/<asset>`, writes it to `bin/aora`, chmods it 0755, and the package's `bin` entry then spawns it. The download URL points at GitHub account `yourusername` — a placeholder that does not match the package publisher (`@toni77777`). No hash or signature verification is performed on the fetched bytes. Anyone who registers or controls the `yourusername` GitHub account can upload a release at this path and have arbitrary native code executed on every installer's machine. The script also unconditionally overwrites a ~15 MB native binary shipped in the tarball at `bin/aora`, so even the locally auditable bytes are replaced at install time. The fetch is not pinned by hash, the publisher does not match the host, and the resulting binary is executed — the canonical install-time dropper shape.

Compromised versions (2)

  • 0.1.0
  • 0.1.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.