npm · Malicious package advisory
Malware@caspianph/storyteller
MAL-2026-6120
Malicious code in @caspianph/storyteller (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (3bd24daaa395f2e6bfae7c6e6f488a6e114b87e2606ec1bce7dcd4ab6a92f40a) The package ships setup.cjs containing heavily obfuscated JavaScript with hex-mangled identifiers (_0x32549a, _0x4b2b44, _0x78c349, _0x119ac2) typical of payload-hiding techniques. A file named setup.cjs in an npm package is structurally positioned to be invoked from a lifecycle hook (preinstall/install/postinstall) or required at module load. Legitimate npm packages do not obfuscate their install-time code; obfuscation in this position is overwhelmingly used to hide network beacons, credential reads, or dropper logic from casual inspection.
Compromised versions (1)
- 1.1.13
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.