VYPR

npm · Malicious package advisory

Malware

font-picker-responsive

MAL-2026-6162

Malicious code in font-picker-responsive (npm)

Details

The npm package `font-picker-responsive` (published by npm user `sproger`, slavatopbuyer@gmail.com) is a deceptive React Native component and part of a coordinated 37-package campaign across two attacker-controlled domains (surrprisingcoompanny.lol and barbellmate.xyz). On component mount it registers `appsFlyer.onInstallConversionData` and exfiltrates the app's install/conversion attribution data via `axios.post("https://barbellmate.xyz", data)`, fetches a remote-config URL, and renders it full-screen in a `react-native-webview` that is hidden (display:'none') unless the server returns a valid URL — i.e. App Store review-evasion / attribution-laundering ('cloaking'). The package name is a decoy unrelated to its actual function, and the real logic is concealed behind junk 'calculator' functions with Ukrainian-language comments. Indicators of compromise: C2 surrprisingcoompanny.lol, barbellmate.xyz; npm author `sproger`. Both C2 domains are currently unregistered (dangling-C2 takeover risk for any app still shipping these packages). In this package the payload is obfuscated with obfuscator.io (RC4 string-array); the C2 `barbellmate.xyz` and the exfiltration logic are recoverable by decoding the string array (recovered fragments include 'https://barbellmate.xyz' and 'Error during fetchData').

Compromised versions (2)

  • 1.0.0
  • 2.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.