npm · Malicious package advisory
Malwaregator-client
MAL-2026-4569
Malicious code in gator-client (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (1925735d02fb91f74a11718c3402ad0b10f551eecb8c6d88f02d475b3e0a799f)
On `npm install` (via scripts.install: `node index.js`) and on every `require('gator-client')`, lib/core.js collects `os.userInfo().username`, `os.hostname()`, and the basename of `process.cwd()`, then issues a `dns.resolve4()` query for `lwgator.<user>.<host>.<cwd>.<ts>.oob.sl4x0.xyz`, leaking installer host identifiers over DNS to an attacker-controlled out-of-band domain. The function name `resolve4`, the module names `os`/`dns`/`process`, and the C2 domain `oob.sl4x0.xyz` are stored as decimal byte arrays in lib/b02e30.js and lib/6ad264.js and decoded via `String.fromCharCode` at runtime (paired with hex-style identifiers like `_0x5b3d`) to evade naive string scanners. The package's advertised purpose ("Enterprise-grade utilities with enhanced validation and compatibility layer") is a cover story: src/ ships plausible-looking benign modules, but the only code reached from the install hook and main entry is the beacon. The author email `research@sl4x0.xyz` matches the exfil domain `sl4x0.xyz`, confirming attacker ownership of the receiving infrastructure. DNS-based exfiltration is specifically chosen to bypass HTTP egress filters that would otherwise block outbound POSTs.
Compromised versions (1)
- 9.9.11
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.