VYPR

npm · Malicious package advisory

Malware

self-certificate

MAL-2026-5644

Malicious code in self-certificate (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (ab587fcd5a0b45e17454fc742007b8b597a0aec49b443d8a5a087ba910ea4a40)
The package presents itself as a self-signed certificate generator, but its public generateCertificates() API path loads sample/cert.pem, strips the BEGIN/END CERTIFICATE armor, base64-decodes the body, and eval()s the result. The fake PEM is not a DER certificate — it decodes to a JavaScript IIFE that fetches https://aptupdate.org/settings/privacy.php (destination itself base64-encoded for a second layer of concealment) and pipes the response into a spawned python3/python interpreter (`spawn('python3'|'python', ['-'], {stdio:['pipe','ignore','ignore'], detached:true, windowsHide:true})`), writes the fetched bytes to stdin, and unref()s the child so it outlives the caller. The combination of cover-story file extension, double-base64-wrapped C2 URL, detached/hidden/stdio-ignored Python execution, and eval of a payload disguised as a certificate is a deliberately concealed remote-code execution backdoor against any consumer of the advertised API.

Compromised versions (2)

  • 1.0.0
  • 1.1.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.