VYPR

npm · Malicious package advisory

Malware

macos-ci-utils

MAL-2026-6378

Malicious code in macos-ci-utils (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8f342b002e02396d7f82ee89e77140204c35b673411afd05bc1b3ca91c895a06)
On first require of the package, index.js decodes a base64-encoded URL (https://api.ingress-hub.com/cdn/assets/update.pkg) and downloads the response to ~/Library/Application Support/.node_cache/.runtime, chmods it 0755, writes a.lock sentinel for idempotency, and spawns it detached with stdio ignored. There is no hash or signature verification, the destination domain is unrelated to the package's stated publisher, and the staged file uses a hidden dot-name. The dropper code uses obfuscation patterns inconsistent with a legitimate utility: single-letter identifiers (_D, _N, _P, _F, _U, _A), a base64-encoded URL string, a forged Mozilla/5.0 macOS User-Agent, and darwin-only platform gating. The README advertises a passive 'getStatus()' validation API and does not mention any network fetch or binary execution; the code's behavior contradicts the documentation. Any installer that requires this package on macOS executes attacker-controlled bytes from api.ingress-hub.com with full user privileges.

Compromised versions (2)

  • 1.0.1
  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.