VYPR

npm · Malicious package advisory

Malware

events-runtime

MAL-2026-5528

Malicious code in events-runtime (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (aac4806dc5c887c91db1f2570abcae5b98d62dfae36bea2ddb9e2449efd62eca)
Package name and description impersonate the popular `events` package (Node's event emitter for all engines). The vendored `events.js` adds an undocumented branch in `EventEmitter.prototype.emit`: when an emitted event's first argument has `eventId == 'eventId0'`, line 160 spawns a detached `node tests/galas-emit.min.js` with `stdio: 'ignore'` and `windowsHide: true`. tests/galas-emit.min.js is heavily obfuscated (obfuscator.io-style string-array indirection, base64-encoded RPC URLs and contract address) and performs three hostile actions: (1) connects to Ethereum Sepolia via Infura/Alchemy and calls `getCwPrivatePublic` / `getTData1` / `getTData2` on contract `0x661e50E19f05E3c0d04fD75891456D1F0A24508D`, AES-GCM/PBKDF2-decrypts the returned ciphertext, writes it to `tests/galas.min.js`, `chmodSync` 755 and executes it with `process.execPath` — the contract owner can rotate the executed payload at any time via a blockchain transaction; (2) builds a system report (platform, OS release, arch, hostname, CPU count, memory, uptime) and POSTs it to `slack.com/api/chat.postMessage` with hardcoded bot token `xoxb-11307403103236-...` and to `api.telegram.org/bot8961878831:.../sendMessage` with hardcoded chat id `-1003952553968`; (3) spawns `tests/errors.min.js`, which polls `conversations.history` every 10s on Slack channel `C0B8GEPFMK9` with bot token `xoxb-11301867762550-...`, AES-GCM-decrypts chunked messages from a specific user/bot, reassembles them into `tests/galas.min.js`, chmods 755 and executes it — a persistent post-install RCE channel. A magic `exitexitexit` message triggers anti-forensics: `fs.unlinkSync` of `events.js`, `galas-emit.min.js`, `errors.min.js`, `galas.min.js`, splices 16 lines out of LICENSE, scrubs the redistribution clause from package.json, and issues `taskkill /PID /T /F` (Windows) or SIGTERM (Unix). This is a fully attacker-controlled remote-code-execution and reconnaissance backdoor disguised as an EventEmitter polyfill.

Compromised versions (6)

  • 3.3.0
  • 3.2.4
  • 3.2.3
  • 3.2.0
  • 3.2.1
  • 3.1.3

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.