VYPR

npm · Malicious package advisory

Malware

dot-utils-plus

MAL-2026-4549

Malicious code in dot-utils-plus (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3091b9bb8cbf714d9391a59f7303a3748e183bbdf0fba2264b7496a2072e717f)
On every import, dist/index.js base64-decodes a hardcoded AES-256-CBC ciphertext, derives a key from environment variable VITE_DOT_UTILS_AES_SECRET, decrypts the result into JavaScript source, wraps it in a Blob/data URL, and dynamically `import()`s it. The decrypted code is opaque to consumers and to static review; whoever holds the AES secret can ship arbitrary JavaScript to every downstream application that loads this library. This is a backdoor/remote-code-execution surface delivered through a library's normal import path. In addition, the same bundle monkey-patches the global `EventTarget.prototype.addEventListener` at import time. For every `click` listener registered after the patch, on dates after 2026-06-10 and when running outside development, the wrapper has a 5% chance of busy-waiting 5000ms on the main thread — a date-gated logic bomb that silently degrades any web app loading the package. None of this behavior is documented in the README or the declared API, and `package.json` carries placeholder author metadata (`"Your Name"`) with a self-described "encrypted distribution build" as the only shipped artifact.

Compromised versions (3)

  • 0.1.9
  • 0.1.5
  • 0.1.8

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.