VYPR

npm · Malicious package advisory

Malware

gehneb

MAL-2026-4570

Malicious code in gehneb (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (02811600aba146f33bc2f2a8eeee83d8539bf60398695af9f89b80541bbff971)
package.json declares `"consolefy": "git+https://github.com/ccndjdjdnnddnd-jpg/sbdrsfhbrfh.git"` instead of resolving the legitimate `consolefy` package from the npm registry. The git URL has no commit SHA, tag, or branch pin, so `npm install` clones whatever HEAD points to at install time — fully mutable by the owner of that throwaway GitHub account (random-character username, unrelated to the legitimate consolefy publisher). The package's library entry (`lib/index.js`) transitively loads `lib/Classes/Client.js` and `lib/Classes/CommandHandler.js`, both of which `require("consolefy")` at module top level, so any code the attacker pushes to that repo executes on every installer that requires gehneb. Combined signals: empty `description` and empty `author` metadata, short opaque package name, and a Baileys/WhatsApp-bot dependency surface re-published under unrelated branding. The unpinned-attacker-repo override alone provides a silent install-time/require-time RCE channel into the installer's environment.

Compromised versions (1)

  • 1.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.