VYPR

npm · Malicious package advisory

Malware

npmkekw

MAL-2026-6363

Malicious code in npmkekw (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (74384b76540c8d36fef8a30dc2acd3224defeaa8a58d0155101f2f670aa8b153)
The package's main module (index.js) exports an `init()` function that spawns `/bin/bash` via `child_process.exec` and opens a TCP socket to the hardcoded remote address 49.13.148.41:443, piping the shell's stdio through the socket — a textbook reverse-shell backdoor giving the operator at that IP interactive command execution on any host that calls `init()`. Package metadata is consistent with a throwaway attack vehicle: empty `description`, empty `author`, non-descriptive name `npmkekw`, and no other functional code. The payload as shipped contains a typo (references an undefined `sh` variable and pipes from `cp.stdout`) so it crashes on first use, but the intent and structure are unambiguous and a one-character fix would make it functional.

Compromised versions (4)

  • 2.0.0
  • 2.0.3
  • 2.0.5
  • 2.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.