npm · Malicious package advisory
Malwareboardflow
MAL-2026-5799
Malicious code in boardflow (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (f9d5c1524281430272215f48a90b957cf08f76dcb9954cb73945421dff358eb2)
package.json declares `preinstall: node install.js`, which fires automatically on `npm install`. install.js is heavily obfuscated (obfuscator.io string-array shuffle with `_0xNNNN` identifiers and split-string concatenation) to hide its behavior. After deobfuscation, the script downloads `https://www.pooron.org/ice.exe` into the OS temp directory as `tester_<randomhex>.exe`, chmods it 755, and spawn-detaches it via `spawn(PAYLOAD_PATH, [], {detached:true, stdio:'ignore', windowsHide:true}).unref()` — using a cmd-style invocation on Windows and direct exec on macOS/Linux. A console message `[boardstep] Optional dependency initialized.` is printed as a cover story (note that `boardstep` does not match the package name `boardflow`). The payload domain `pooron.org` is not the package's publisher, the URL is mutable and unpinned, no hash or signature check is performed, and the binary is opaque. Supporting indicators of disposability: README is 0 bytes, `dependencies` declares a self-reference (`boardflow: ^1.1.8`), and the package's stated kanban purpose has no implementing code. This is a textbook install-time dropper: any developer or build system running `npm install boardflow` immediately executes attacker-controlled code with the installer's privileges.
## Source: ghsa-malware (cc323a00bbf1170838fed70d04a3915cb58a92a97ab496e8d02e6eaac03bebb0)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Compromised versions (8)
- 1.1.4
- 1.1.5
- 1.2.0
- 1.1.6
- 1.2.1
- 1.1.7
- 1.1.9
- 1.1.8
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.