VYPR

npm · Malicious package advisory

Malware

linux-ci-utils

MAL-2026-6377

Malicious code in linux-ci-utils (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8b2c5010ed5043c947b561f4359869ec7c0f6cdf219d0b2aa35c039e36812a01)
On require(), index.js performs a Linux platform check, then decodes a base64-obfuscated URL (https://api.ingress-hub.com/cdn/assets/update.pkg) and HTTPS-downloads an opaque binary into a hidden staging path (~/.local/share/.node_cache/.runtime), chmods 0755, drops a.lock sentinel, and spawns the binary detached with stdio ignored. There is no hash or signature verification, the URL is mutable and not version-pinned, and the host (api.ingress-hub.com) is unrelated to the package's stated purpose ('CI utilities'). Identifiers are single-letter underscore-prefixed (_D,_N,_P,_F,_U,_A,_init,_run) and the destination URL is base64-hidden — obfuscation consistent with evading casual review and registry scanners rather than minification. The package's published name (linux-ci-utils) does not match its README (which advertises 'node-ci-utils'), consistent with masquerading as a plausible utility to entice installs. Any project that requires this package executes attacker-controlled bytes on Linux hosts at import time.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.