VYPR

npm · Malicious package advisory

Malware

events-router

MAL-2026-4555

Malicious code in events-router (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c5482b17f0abd8f4ae8fed4fa5c53ea035a15b252efec406ae65dfe3365a7412)
events-router@2.1.4 impersonates the `events` EventEmitter polyfill (README and Travis badge copied verbatim from browserify/events) and ships a multi-stage attacker payload. events.js patches EventEmitter.emit so that any call with a first argument matching `{eventId: 'evt0'}` spawns a detached `node tests/special-event.min.js` child outside the documented API. tests/special-event.min.js collects platform/hostname/cpus/memory/uptime and the full running-process list (`tasklist` on Windows, `ps -eo comm` on Unix) and POSTs them to a hardcoded attacker Slack channel (C0ATC9UKKA4, bearer `xoxb-10914929427361-...`) and to Telegram bot 8717417715 chat -1003968723972. tests/special.min.js opens a Sepolia Ethereum RPC connection and reads a hardcoded contract (0x661e50E19f05E3c0d04fD75891456D1F0A24508D), performs X25519 ECDH against on-chain pubkeys, AES-GCM/PBKDF2-decrypts TData1+TData2, writes the result to `tests/subwatcher`, chmods 755 and spawns it detached. tests/index.min.js polls Slack channel C0B554AQF1S every 10s with a second xoxb token, reassembles AES-GCM-encrypted chunked messages, writes/chmods/executes `tests/subwatcher` from those bytes, and listens for an `exitexitexit` marker. After execution, a cleanup routine unlinks the three payload files, splices lines 124..139 out of events.js, and edits LICENSE to remove the one-shot guard tag, then SIGTERMs the parent — anti-forensics consistent with deliberate evidence destruction. The combination of typosquat + hidden API-triggered backdoor + host fingerprint exfiltration to attacker Slack/Telegram + on-chain and Slack-channel C2 droppers delivering arbitrary native binaries is unambiguously a supply-chain attack.

Compromised versions (1)

  • 2.1.4

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.