npm · Malicious package advisory
Malwareruntimekit
MAL-2026-6477
Malicious code in runtimekit (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (ffa393dec171ebd22b63776d7550006d3f9f60ad8726ce1153784080e9038acd)
lib/index.cjs and lib/index.mjs (re-required from lib/readonly.cjs) contain a self-executing IIFE that decodes two opaque strings via a custom shuffle routine (`YWG`), recovers the identifier `constructor` from one of them, retrieves the Function constructor via property access, then builds and invokes nested Function-constructor calls — `Function('', Function('', decoded1))(decoded2)(7942)` — executing arbitrary decoded JavaScript at module load. Before the synthesis, the loader assigns `global.r = require` and `global.m = module`, deliberately smuggling Node's require and module bindings into the global scope so the dynamically constructed function (which does not inherit the module's closure) can reach them. A marker `global._V = "A6-Shadow-16"` is also set. The package advertises itself as a validation/runtime utility but ships an obfuscated self-injecting loader with no legitimate purpose for hiding code from Function constructors. Any consumer that does `require('runtimekit')` or `require('runtimekit/readonly')` runs the decoded payload in-process with full Node privileges.
Compromised versions (2)
- 1.0.5
- 1.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.