VYPR

npm · Malicious package advisory

Malware

nativescript-swisspost-pcc-creative-editor

MAL-2026-5793

Malicious code in nativescript-swisspost-pcc-creative-editor (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a9c9ef8861d14485e696e98c66d95ee5c2a5a608b213841c9c18b254003ae049)
Package masquerades as an internal Swiss Post NativeScript package (name `nativescript-swisspost-pcc-creative-editor`, description literally `Security PoC for Bug Bounty`). package.json declares `preinstall: node index.js`. On `npm install`, index.js reads `process.env.INIT_CWD`, takes its basename as the installer's project directory name, and POSTs it together with a timestamp to a hardcoded callback URL `https://deepbounty.dd06-dev.fr/cb/dc8ee9ff-1372-47c3-b2b6-ce0564ce1f90`. Effect on the installer: arbitrary Node code executes at install time and the installer's project name is leaked to a third-party host without consent. Although the author labels it a bug-bounty proof of concept, the package is structurally a dependency-confusion attack — any developer or build system that pulls it expecting the legitimate internal Swiss Post package suffers code execution and information disclosure.

## Source: ghsa-malware (79abd1aa0c5c799c32fb06a50d7f2de45d89d937ec397e95e17b04f8b6463896)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Compromised versions (1)

  • 54.16.3

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.