npm · Malicious package advisory
Malware@weirdorg/config
MAL-2026-4466
Malicious code in @weirdorg/config (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (b28e2fe6ac03c8e426aeb69f62bf0b2bd4dfdb06a5acee273bb5967186c5504d)
`@weirdorg/config` impersonates the widely-used `config` (node-config) package, copying its README verbatim including the `require('config')` usage example. The package's `index.js` redirects to `./lib/load.js`, a ~422 KB file protected with obfuscator.io-style RC4 string-array decoding wrapping a custom VM interpreter. The VM captures the host `require`, `module`, `exports`, `__dirname`, and `__filename` into a global context and then evaluates multiple large base64-encoded bytecode payloads (e.g. `_0x191ca6=["AcIHAQAEBOjIWW0O8b9jdskw9QJh7xQQCAAF7QEDACYE..."]`). The code also references `execArgv`, `inspector`, and `SIGUSR1` — debugger-evasion strings with no place in a configuration library. Because `lib/load.js` is loaded immediately by `index.js`, opaque attacker-controlled code executes the moment any consumer runs `require('@weirdorg/config')`. The combination of (a) name confusion against a top-tier registry package, (b) verbatim README copy to mislead installers, (c) replaced entrypoint pointing at a heavily obfuscated VM, and (d) captured host `require`/`module` handles plus interpreted bytecode is the canonical malicious-loader shape — the exact network/exec behavior is intentionally hidden behind two layers of obfuscation, but arbitrary code execution in the installer's Node process is implicit in the design.
Compromised versions (1)
- 1.0.3
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.