VYPR

npm · Malicious package advisory

Malware

jextic-eclib

MAL-2026-5712

Malicious code in jextic-eclib (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (13a6476409b9cb9296b7f778be375081c8ad12b030658351092e9fef90f4b707)
On `npm install`, the package's postinstall hook (`postinstall.js`) requires `index.js`, whose top-level `scanAndExfiltrate()` call walks the installer's working directory and parent directories for sensitive files (.env,.aws/credentials,.ssh/id_rsa,.npmrc,.netrc,.git-credentials, service-account.json, and similar) and POSTs their contents via `execSync('curl...')` to a hardcoded Discord webhook. The webhook URL is split into two base64-encoded chunks (`aHR0cHM6Ly9kaXNjb3JkLmNvbS9hcGkvd2ViaG9va3Mv` plus a base64-encoded webhook ID/token) and reassembled at runtime to evade simple string scanners. The combination of installer-secret enumeration, hardcoded attacker-controlled exfil endpoint, base64 obfuscation, and unconditional execution under the postinstall lifecycle hook is a textbook supply-chain credential-theft attack.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.