npm · Malicious package advisory
Malware@toni77777/aora
MAL-2026-4458
Malicious code in @toni77777/aora (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (8566221a9ab9a1cb01b0f23e2af4b140d2e97310701b8c9a8f4bed1481fb22b2) On `npm install`, scripts/postinstall.js fetches a platform-specific executable from `https://github.com/yourusername/aora/releases/download/v0.1.0/<asset>`, writes it to `bin/aora`, chmods it 0755, and the package's `bin` entry then spawns it. The download URL points at GitHub account `yourusername` — a placeholder that does not match the package publisher (`@toni77777`). No hash or signature verification is performed on the fetched bytes. Anyone who registers or controls the `yourusername` GitHub account can upload a release at this path and have arbitrary native code executed on every installer's machine. The script also unconditionally overwrites a ~15 MB native binary shipped in the tarball at `bin/aora`, so even the locally auditable bytes are replaced at install time. The fetch is not pinned by hash, the publisher does not match the host, and the resulting binary is executed — the canonical install-time dropper shape.
Compromised versions (2)
- 0.1.0
- 0.1.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.