npm · Malicious package advisory
Malwarejest-test-plugin-utils
MAL-2026-5896
Malicious code in jest-test-plugin-utils (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (3f948eff13632557a65152c587b6aa87783e49cf40504aedca8ee15da6ed205e) The package advertises itself as a Jest plugin (name: 'jest-test-plugin-utils', description: 'mqtt utils') but ships no Jest or MQTT functionality. Its main entry dist/index.js is a heavily obfuscated 200KB browserify bundle (obfuscator.io fingerprint: 1299-entry rotated string array, decoder wrapper, control-flow flattening; built with the declared devDependency 'gulp-javascript-obfuscator'). After deobfuscation, the only meaningful behavior is a function loadFilbetScriptSilently() (exposed as window.__fetchFilbetScript__) that creates a <script> element with src='https://cdn.jsdelivr.net/gh/gongben2024/network-security@main/src/filbet.js' and appends it to document.head, executing whatever code the author hosts at that mutable @main branch. The destination repository is named 'network-security' under author 'gongben2024' and is unrelated to the package's stated purpose. Because the reference is to the @main branch (not a pinned commit/tag), the author can change the executed payload at any time without republishing this package. Any application that bundles or imports this module will execute attacker-controlled JavaScript in the browser context, with full access to the host page's DOM, cookies, and storage. The combination of name camouflage, heavy obfuscation, and unpinned remote-script execution is a deliberate supply-chain attack pattern.
Compromised versions (4)
- 1.0.0
- 1.0.2
- 1.0.1
- 1.0.4
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.