VYPR

npm · Malicious package advisory

Malware

bolt-delivery-menu-app

MAL-2026-4499

Malicious code in bolt-delivery-menu-app (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (cc39247db76b4edd80084e400324518739f141dafda621d368c3e5a9ac41f791)
Package executes a DNS-based beacon at both install time (package.json scripts.install runs `node index.js`) and on every `require()` of the module. lib/core.js reads `os.userInfo().username`, `os.hostname()`, and `process.cwd()`, concatenates them with a campaign tag into a single label, and triggers `dns.resolve4` against that label under the attacker-controlled domain `oob.sl4x0.xyz`, leaking installer host identity over DNS (a channel chosen to bypass HTTP-egress controls). The C2 domain and Node built-in names (`os`, `dns`, `process`, `resolve4`) are stored as char-code arrays in lib/b02e30.js and lib/6ad264.js to defeat string-grep scanners. The package name `bolt-delivery-menu-app` impersonates the Bolt delivery brand while shipping generic 'Enterprise Utilities' boilerplate as its cover story, and the author email `research@sl4x0.xyz` resolves to the same domain as the exfil destination — the typosquat lure, the cover identity, and the C2 are one operation. README falsely claims 'No network requests'.

Compromised versions (1)

  • 9.9.11

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.