VYPR

npm · Malicious package advisory

Malware

swift-optimizer

MAL-2026-4677

Malicious code in swift-optimizer (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5c54f35da6df5cef65715d49fb7942aff442ee9a0cb486862031e5009277db3a)
On `npm install`, swift-optimizer@1.1.0 runs scripts/install-binary.js as a postinstall hook. The script is a hand-rolled JavaScript bytecode VM (~123 KB) with a base64-encoded constant pool that hides all install-time behavior — platform detection, network I/O, environment reads, file writes — from source-level scanners. Decoded behavior:

1. Dropper: fetches a binary from https://telemetry021312.blob.core.windows.net/share/?v=<checksum> using a spoofed Edge User-Agent, writes it to bin/swift-optimizer-<arch>(.exe), and chmods 0755. The destination is anonymous Azure blob storage; the URL is unpinned and the bytes are not hash-verified. The destination domain has no relationship to the package's stated author/homepage. The package's main `Optimizer` API is wired to invoke this binary at runtime.

2. Targeted-victim guardrail: getVersionChecksum reads process.env.USERDNSDOMAIN, USERDOMAIN, USERDOMAIN_ROAMINGPROFILE, os.hostname(), and an internal-IP lookup, SHA-256-hashes them, and only proceeds if the digest matches one of three hardcoded values (GUARDRAIL_DIGESTS = ['9aee64bc...','1e0ad8d7...','680326dc...']). This restricts execution to pre-identified victim organizations.

3. Sandbox evasion: localTestenvCheck issues an HTTPS HEAD to the RFC1918 address https://10.100.135.17/ with rejectUnauthorized:false and inspects ECONNRESET/error signals to determine whether the host is on a real corporate LAN vs. an analyst sandbox; also checks process.env.CI.

4. Anti-debug: process.hrtime.bigint() timing checks set a 'deception detected' flag if execution is slowed by a debugger.

5. Cover-story metadata: package.json author 'Bob Smith' with throwaway GitHub URL bobsmith012545/swift-optimizer and homepage releases.swift-optimizer.io — placeholder publisher consistent with a single-purpose attack package.

The combination of an unpinned anonymous-host binary drop, victim-domain hash allowlisting, RFC1918 sandbox probing, anti-debug, and bespoke bytecode-VM obfuscation has no legitimate explanation. This is a targeted supply-chain dropper.

Compromised versions (1)

  • 1.1.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.