npm · Malicious package advisory
Malware@frostnode/waitfor
MAL-2026-6305
Malicious code in @frostnode/waitfor (npm)
Details
@frostnode/waitfor (malicious versions 0.9.0, 0.10.3, 0.10.4, and 0.10.5, published by frostnode-gk8pbf@wshu.net) is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern <scope>-<6 random chars>@wshu.net, with every scope created on June 4, 2026 in a ~40-minute burst. This package masquerades as a wait/delay utility and ships real, working utility code so it passes a glance, while bundling a much larger malicious payload (lib/tickinit.js in the earliest variant, dist/cjs/tickinit.cjs thereafter). package.json declares a postinstall hook (e.g. "node ./dist/cjs/tickinit.cjs") that runs the payload automatically on npm install. The payload is heavily obfuscated with javascript-obfuscator (hex-named identifiers, a while (!![]) array-rotation IIFE, base64+RC4 string decoding, control-flow flattening, and runtime-decrypted module resolution to stay out of the static module graph). At runtime it is a Chromium browser credential stealer: it reads Chromium Cookies and Login Data and decrypts saved passwords protected by AES-256-GCM (the v10/v11 app-bound key schemes), then exfiltrates them over HTTPS using a spoofed Mozilla/5.0 user agent. Consistent with the campaign, the dangerous versions sit in mid-ranges while the latest tag (0.10.6) points to a scrubbed release with an empty scripts block. Malicious payload dist/cjs/tickinit.cjs (0.10.5) SHA-256: 2de602e6422a991346aaf0b74ed6bd525215f5177b9f7f267ccb4d82e919273d.
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (c332f4386c51821f983068e5df440f4fbc53c88d6ecc561ca41a8a444d3df998)
Package is published under scope `@frostnode` but its package.json homepage and repository point at `https://github.com/mmustra/rxjs-poll` — the legitimate `rxjs-poll` library by a different maintainer. The library source in `dist/cjs/index.js` is a near-verbatim copy of mmustra/rxjs-poll with one injected line: `var _trapHook = require('./tickinit.cjs')` at the top, and `_trapHook.runPrepare()` invoked from inside the package's only documented export, `poll(config)` (dist/cjs/index.js:204). `dist/cjs/tickinit.cjs` is a ~259KB obfuscator.io-protected blob (string-array shuffling, RC4-decoded property names, control-flow flattening, runtime `Function(...)` construction). It carries hardcoded base64 ciphertext that is decrypted at runtime via `crypto.createDecipheriv('aes-256-gcm', …)` to recover a C2 URL, then re-launches the user's node binary under an env-var sentinel, dynamically requires child_process/fs/os/https/crypto, downloads attacker-controlled bytes to `os.tmpdir()`, writes a `.lock` JSON with sha256, and spawns the downloaded file via `child_process.spawn(process.execPath, [tmpfile], {detached:true}).unref()`. tickinit.cjs additionally exports `onInstall = () => runPrepare()` and ends with `if (require.main === module) onInstall();`, providing extra trigger surfaces (direct `node tickinit.cjs` invocation, or a future postinstall hook) for the same dropper. Any consumer who imports `@frostnode/waitfor` and calls `poll()` — the documented and sole API — gets remote-code execution on their machine with no consent, no version pinning, and no signature verification of the downloaded payload. The AES-GCM-wrapped destination, repackaging of an unrelated maintainer's library under a new scope, and multiple redundant trigger paths are the canonical malicious-dropper fingerprint.
Compromised versions (5)
- 0.9.0
- 0.10.4
- 0.10.3
- 0.10.5
- 0.10.6
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.