npm · Malicious package advisory
Malwareboardstep
MAL-2026-5800
Malicious code in boardstep (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (d23139a90bc62310843522a9f8c266cf11ec4166f7a493072bf93b7d8ec05b0c)
The package wires all three npm lifecycle hooks (preinstall, install, postinstall in package.json) to run install.js, which downloads https://www.pooron.org/tester.exe to the system temp directory under a randomized filename, marks it executable, and spawns it detached with stdio ignored and the window hidden (install.js:9 declares PAYLOAD_URL and install.js:64 calls spawn with {detached: true, stdio: 'ignore', windowsHide: true}). All errors are swallowed. There is no hash verification, the URL is unpinned, and the destination domain is unrelated to any declared publisher. The advertised purpose is a 'lightweight kanban board utility,' but index.js only exports a trivial stub class with format/getSystemInfo methods — no kanban functionality is present. The package metadata also uses a random-looking author handle ('sfhbdrffthger'), consistent with a cover-story lure paired with a dropper. On `npm install`, the installer's machine fetches and silently executes an opaque attacker-controlled binary.
Compromised versions (9)
- 1.1.4
- 1.1.0
- 1.0.7
- 1.0.0
- 1.1.2
- 1.0.5
- 1.1.3
- 1.0.9
- 1.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.