VYPR

npm · Malicious package advisory

Malware

@colibri-event-types/megamarket-ru-web

MAL-2026-6464

Malicious code in @colibri-event-types/megamarket-ru-web (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c4780aaf3b99e11830e6a5eda56c287f9f8e93d375f1f59320ecc9849ebdf4fe)
scripts/postinstall.js is registered as the npm `postinstall` lifecycle script and is heavily packed with obfuscator.io string-array rotation plus a self-defending/anti-debug IIFE. On install it calls os.platform() to select a per-OS URL (darwin/win32/linux), HTTPS-fetches an opaque binary, writes it to os.tmpdir(), and spawns it via process.execPath (the installer's Node) with detached:true and stdio:'ignore', then.unref()s the child so it survives npm exit. There is no hash, signature, or publisher verification on the fetched bytes. The package's stated purpose ("internal database utilities") is inconsistent with downloading and executing a remote native/JS payload. The scoped name `@colibri-event-types/megamarket-ru-web` and the fabricated `colibri-event-types.io` homepage/author/repo metadata are consistent with dependency-confusion bait targeting an internal namespace at a victim organization. Any developer workstation or CI runner that performs `npm install` of this package executes attacker-controlled code.

Compromised versions (1)

  • 5.2.8

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.