npm · Malicious package advisory
Malwareaikaf788812
MAL-2026-6217
Malicious code in aikaf788812 (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (c91950cef6a5f877a4a9bca074501e4c910dc50008d4c8c2623ddc21f08e31f2) Package masquerades as a string-utility library but ships a postinstall backdoor. On `npm install`, scripts/postinstall.js spawns scripts/shell.js as a detached background process (stdio:'ignore', windowsHide:true) that survives the install lifecycle. shell.js attempts multiple reverse-shell methods — a Node net socket piping /bin/sh or powershell, bash /dev/tcp, and a Python socket+subprocess payload — connecting to 114.67.90.67 on ports 3334, 4444, 443, 80, 8080, and 53. It additionally issues an HTTP GET to http://114.67.90.67:8333/ping carrying the installer's hostname, username, cwd, and OS platform/release as query parameters, fingerprinting the victim and confirming compromise. A setInterval keep-alive plus an infinite Python reconnect loop maintain persistent C2 access on the installer's machine.
Compromised versions (1)
- 1.0.3
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.