npm · Malicious package advisory
Malwarezenith-utils
MAL-2026-6401
Malicious code in zenith-utils (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (c29676376a28531b186e09fbf7e2d3a0697943ece764e0604ebbdd4b734ae094)
Package name is zenith-utils but the tarball is a verbatim copy of the nodemailer source tree (lib/nodemailer.js as main, lib/smtp-transport, lib/ses-transport, lib/dkim, lib/mail-composer, etc.; package.json author set to nodemailer's real maintainer 'Andris Reinman'). package.json declares `postinstall: node lib/utils/index.js`, which uses spawn with `detached: true`, `stdio: ['ignore','ignore','ignore']`, and `child.unref()` to launch lib/utils/smtp-connection/index.js as a hidden background process that survives the npm install command. That process forks lib/utils/smtp-connection/worker.js, which polls `https://jsonkeeper.com/b/WDH3V` in an infinite loop and executes the returned `cookie` field via `new Function('require', r.data.cookie)(require)`. jsonkeeper.com is an anonymous, mutable paste host — the author can change the served payload at any time, granting arbitrary Node-privileged code execution on every machine that has installed the package. The detached/unref'd spawn is deliberately designed to hide the activity from npm's lifecycle logs while the eval loop runs persistently in the background.
Compromised versions (2)
- 12.0.14
- 12.0.15
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.