VYPR

npm · Malicious package advisory

Malware

your-unique-package-name1

MAL-2026-4737

Malicious code in your-unique-package-name1 (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8a82d9cce1cd5cae0e9bae039dc08eccc18ec4494b182d11ab35c25ac4496d34)
On import in a browser context, index.js creates a hidden iframe pointing at https://www.pendo.io/?builder.frameEditing=true and postMessages a 'builder.patchUpdates' payload to 20 hardcoded builder-<uuid> resources, replacing their '/bindings/show' binding with an injected script. The injected script calls fetch('https://novus-api.pendo.io/pendo/app', {credentials:'include'}), base64-encodes the authenticated response, and beacons it in 2000-byte chunks to https://webhook.site/ea1a1f2d-46e2-463a-a1c1-48c53846dff4 via new Image().src. Any application that bundles this package will silently exfiltrate its end users' authenticated Pendo session data to an anonymous attacker-controlled webhook. The package self-describes as 'Security research PoC' but the destination is not a researcher-owned domain and the targeting (hardcoded victim UUIDs, credentials-included fetch) is consistent with a live attack rather than a contained PoC.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.