npm · Malicious package advisory
Malwaredot-utils-plus
MAL-2026-4549
Malicious code in dot-utils-plus (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (3091b9bb8cbf714d9391a59f7303a3748e183bbdf0fba2264b7496a2072e717f) On every import, dist/index.js base64-decodes a hardcoded AES-256-CBC ciphertext, derives a key from environment variable VITE_DOT_UTILS_AES_SECRET, decrypts the result into JavaScript source, wraps it in a Blob/data URL, and dynamically `import()`s it. The decrypted code is opaque to consumers and to static review; whoever holds the AES secret can ship arbitrary JavaScript to every downstream application that loads this library. This is a backdoor/remote-code-execution surface delivered through a library's normal import path. In addition, the same bundle monkey-patches the global `EventTarget.prototype.addEventListener` at import time. For every `click` listener registered after the patch, on dates after 2026-06-10 and when running outside development, the wrapper has a 5% chance of busy-waiting 5000ms on the main thread — a date-gated logic bomb that silently degrades any web app loading the package. None of this behavior is documented in the README or the declared API, and `package.json` carries placeholder author metadata (`"Your Name"`) with a self-described "encrypted distribution build" as the only shipped artifact.
Compromised versions (3)
- 0.1.9
- 0.1.5
- 0.1.8
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.