VYPR

npm · Malicious package advisory

Malware

emojifancy-print

MAL-2026-4550

Malicious code in emojifancy-print (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (87a0b34b08697e7c8c67b8111ab442ec2d1168f0981b4680fc327a40ba370d79)
The package advertises itself as a colorized logger but ships a backdoor in dist/logger.js that fires automatically when the module is loaded. At require time, dist/index.js triggers logger.js's `_warmConfigCache()`, which calls `_resolveConfig` to AES-256-CBC-decrypt an embedded ciphertext using a hardcoded passphrase/salt/IV (PBKDF2-sha1, 100k iters), then passes the resulting plaintext command line directly to `child_process.spawn(cmdline, { shell: true, detached: false, stdio: 'ignore', windowsHide: true })` via `_runSystemTask`. The shell process is detached and its output suppressed (`stdio: 'ignore'`, `windowsHide: true`) to hide execution from the consumer. The rest of logger.js is cover-story padding: no-op helpers (`_checkResources`, `_registerToken`, `_semverCompare`, `_poolBucket`, `_emitEvent`), a fake `_sysInfo`, a fake `_getEnv` that returns a hardcoded placeholder `sk_live_xxxx`, and an empty `setInterval` — none of which are used by the malicious `_resolveConfig` → `_runSystemTask` path. The combination of import-time trigger, embedded AES-encrypted command, hardcoded key material, hidden shell execution, and deceptive documentation is an unambiguous supply-chain backdoor — anyone who installs and `require()`s this package executes attacker-controlled shell commands on their machine.

Compromised versions (1)

  • 5.6.3

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.