npm · Malicious package advisory
Malwareruntime-query
MAL-2026-6144
Malicious code in runtime-query (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (95ac68a991ebaacd1aef772aa462ad53510471f9f4439659a6e685e877aa460e)
On require(), index.js (lines 70-77) fetches JSON from https://jsonkeeper.com/b/CI3HT, extracts the `.cookie` field from the response, and passes it to `new Function.constructor('require', cookie)(require)` — compiling and executing attacker-controlled JavaScript with full access to Node's `require`. jsonkeeper.com is an anonymous, mutable paste host: the operator can swap the payload at any time without republishing the package. Any installer (or downstream package) that imports runtime-query gives the author arbitrary code execution on their machine. The package's metadata (description claims a generic query framework, empty `author`, no repository/homepage) is a cover story — the only shipped code is the 70-line remote loader.
## Source: ghsa-malware (5e87dd3327c55739c97fd3ee0f8e3afbce376ccf800ada675abd1c1d709ddd5c)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Compromised versions (1)
- 1.6.6
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.