VYPR

npm · Malicious package advisory

Malware

@array-util/nodepull

MAL-2026-6084

Malicious code in @array-util/nodepull (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bcafb3a6336948fd12673cfe88d505e2a036afcfb5e9ee5d4b850cf982753d9b)
@array-util/nodepull@1.1.1 ships a single 19 KB obfuscated index.js as its main entry. On require()/import, the IIFE silences process error handlers via process.on('uncaughtException',...) and process.on('unhandledRejection',...), builds a URL by chained string.replace() calls to reassemble dotted host/path tokens, loads os/fs/path/child_process plus an HTTP client, downloads a remote resource, writes the response body to path.join(os.tmpdir(), <name>) with flag 'w+', and executes the dropped file via child_process.exec with {windowsHide: true, cwd: process.cwd()}. The string array, decoder (custom-base64 + RC4 via function c(b,d)), and control-flow flattening (obfuscator.io output, ~814 transforms per webcrack) conceal the URL, dropped filename, and exec target so URL/IP pattern scanners cannot read them. Package metadata is hollow (empty description, empty author, ISC license, no documented API; README only shows an install line and a bare require()) — there is no legitimate functionality, only the dropper. Any developer or build system that installs and require()s this package fetches and executes attacker-controlled code under the installer's UID with errors silenced.

Compromised versions (3)

  • 1.1.1
  • 1.0.0
  • 1.1.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.