VYPR

npm · Malicious package advisory

Malware

@caspianph/storyteller

MAL-2026-6120

Malicious code in @caspianph/storyteller (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3bd24daaa395f2e6bfae7c6e6f488a6e114b87e2606ec1bce7dcd4ab6a92f40a)
The package ships setup.cjs containing heavily obfuscated JavaScript with hex-mangled identifiers (_0x32549a, _0x4b2b44, _0x78c349, _0x119ac2) typical of payload-hiding techniques. A file named setup.cjs in an npm package is structurally positioned to be invoked from a lifecycle hook (preinstall/install/postinstall) or required at module load. Legitimate npm packages do not obfuscate their install-time code; obfuscation in this position is overwhelmingly used to hide network beacons, credential reads, or dropper logic from casual inspection.

Compromised versions (1)

  • 1.1.13

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.