npm · Malicious package advisory
Malwaresystem-core-utils
MAL-2026-6380
Malicious code in system-core-utils (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (0a1d575b5be4daa71ffea6c37e5990b0396f864234cb5f0488c11332cdd7e4d3)
On `require`/`import`, src/index.js shell-executes a hidden PowerShell one-liner that downloads `launcher.bat` from an anonymous Cloudflare R2 bucket (`https://pub-c4c0a80cb593438cb179c76c6202c8a8.r2.dev/launcher.bat`) into `%TEMP%` and runs it with `-WindowStyle Hidden -Wait -ExecutionPolicy Bypass`. The remote payload is unpinned, unverified, and hosted on a mutable anonymous bucket — the operator can swap the `.bat` content at any time. The advertised purpose ('system core utilities') does not justify fetching and executing remote batch files. Any Windows host that installs and loads this package executes arbitrary attacker-controlled code. The tarball additionally ships `deze.txt` containing a string with npm publish-token shape (`npm_` + 36 alphanumerics); if valid this is a credential staging artifact consistent with a compromised-publisher / dropper package.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.