VYPR

npm · Malicious package advisory

Malware

cxpher-linux-arm32

MAL-2026-4547

Malicious code in cxpher-linux-arm32 (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (cd6c14d2899b638880b25bf1c35973ed1c9cf6fcb99331447e3da7c2478124c7)
The package's `main` is an ARM ELF binary that, when loaded, mkdtemp's a working directory under `/dev/shm/.cxpher.XXXXXX` or `/tmp/.cxpher.XXXXXX`, writes an unpacked JavaScript file (`a.js` and `/tmp/.cxpher-wrap.%d.js`), locates `node` at `/usr/local/bin/node` or `/usr/bin/node`, and execvp's node against the unpacked file. The bytes that ultimately run are decoded from an opaque high-entropy blob inside the ELF and are not human-auditable from the published tarball — equivalent to `eval(decode(blob))` but in native form. The same binary reads `/proc/self/status` and parses the `TracerPid:` field, the canonical Linux anti-ptrace anti-debug check; legitimate native addons do not need this. Package metadata is placeholder (no author, homepage, repository, or README; description is the generic string "Native binary for cxpher on linux-arm32"), and the binary references an alternate environment-variable prefix (`AGPK_AUDIO_FD` alongside `CXPHER_AUDIO_FD`) suggesting it was renamed/repurposed from a different project. No documentation describes what code is unpacked and run on the installer's machine.

Compromised versions (1)

  • 2.0.22

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.