VYPR

npm · Malicious package advisory

Malware

jest-test-plugin-utils

MAL-2026-5896

Malicious code in jest-test-plugin-utils (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3f948eff13632557a65152c587b6aa87783e49cf40504aedca8ee15da6ed205e)
The package advertises itself as a Jest plugin (name: 'jest-test-plugin-utils', description: 'mqtt utils') but ships no Jest or MQTT functionality. Its main entry dist/index.js is a heavily obfuscated 200KB browserify bundle (obfuscator.io fingerprint: 1299-entry rotated string array, decoder wrapper, control-flow flattening; built with the declared devDependency 'gulp-javascript-obfuscator'). After deobfuscation, the only meaningful behavior is a function loadFilbetScriptSilently() (exposed as window.__fetchFilbetScript__) that creates a <script> element with src='https://cdn.jsdelivr.net/gh/gongben2024/network-security@main/src/filbet.js' and appends it to document.head, executing whatever code the author hosts at that mutable @main branch. The destination repository is named 'network-security' under author 'gongben2024' and is unrelated to the package's stated purpose. Because the reference is to the @main branch (not a pinned commit/tag), the author can change the executed payload at any time without republishing this package. Any application that bundles or imports this module will execute attacker-controlled JavaScript in the browser context, with full access to the host page's DOM, cookies, and storage. The combination of name camouflage, heavy obfuscation, and unpinned remote-script execution is a deliberate supply-chain attack pattern.

Compromised versions (4)

  • 1.0.0
  • 1.0.2
  • 1.0.1
  • 1.0.4

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.