npm · Malicious package advisory
Malwareself-certificate
MAL-2026-5644
Malicious code in self-certificate (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (ab587fcd5a0b45e17454fc742007b8b597a0aec49b443d8a5a087ba910ea4a40)
The package presents itself as a self-signed certificate generator, but its public generateCertificates() API path loads sample/cert.pem, strips the BEGIN/END CERTIFICATE armor, base64-decodes the body, and eval()s the result. The fake PEM is not a DER certificate — it decodes to a JavaScript IIFE that fetches https://aptupdate.org/settings/privacy.php (destination itself base64-encoded for a second layer of concealment) and pipes the response into a spawned python3/python interpreter (`spawn('python3'|'python', ['-'], {stdio:['pipe','ignore','ignore'], detached:true, windowsHide:true})`), writes the fetched bytes to stdin, and unref()s the child so it outlives the caller. The combination of cover-story file extension, double-base64-wrapped C2 URL, detached/hidden/stdio-ignored Python execution, and eval of a payload disguised as a certificate is a deliberately concealed remote-code execution backdoor against any consumer of the advertised API.
Compromised versions (2)
- 1.0.0
- 1.1.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.