npm · Malicious package advisory
Malwarejs-crypto-promise
MAL-2026-5569
Malicious code in js-crypto-promise (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (a9d677e45bee46911d04564e9260f4b569119a4ca0a13a58bcd43760359fbb4f)
The package's `prepinstall.js` script base64-decodes a hidden URL (stored in a constant misleadingly named `HASH_KEY` decoding to https://jsonkeeper.com/b/DWNFF, an anonymous paste service), fetches the JSON body via axios, reads the `.cache` field, and pipes the contents into a detached `node` child process via stdin: `const child = spawn('node', [], { detached: true, stdio: ['pipe', 'ignore', 'ignore'] }); child.stdin.write(k1);`. This dropper fires automatically on `npm install` via `scripts.postinstall`. To defeat the `--ignore-scripts` mitigation, `index.js` also wraps a dynamic `import('./prepinstall.js')` inside a top-level IIFE, so any consumer that `require('js-crypto-promise')` re-triggers the same remote fetch and execution. The payload host is mutable, anonymous, unpinned, and unverified — the package author can swap in arbitrary code at any time. The package name impersonates the legitimate `crypto-promise` package: the README copies the real package's example code and embeds the real package's npm badge link, and the homepage points at the legitimate maintainer's GitHub repo. Installer impact: any `npm install` or `require()` of this package executes attacker-controlled Node.js code on the installer's machine.
## Source: ghsa-malware (e9fe53199afdef1859ff9dc2c719ee2631c26ac984d1f8ed3387b10ea35b306e)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Compromised versions (1)
- 1.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.