VYPR

npm · Malicious package advisory

Malware

@merceas/cross-fetch

MAL-2026-6510

Malicious code in @merceas/cross-fetch (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5f6307129b7d9edcbd76ffc93c9d8a6ae146332951d5ce90e659afe1eec01127)
Package is published under the @merceas scope as `cross-fetch` and reuses the upstream cross-fetch README, homepage (github.com/lquixada/cross-fetch), and author metadata to impersonate the legitimate `cross-fetch` package. The package `main`, dist/node-ponyfill.js, contains decoy ponyfill code followed by two obfuscator.io-packed IIFEs that run when the module is `require()`d. The IIFEs dynamically import fs/os/path/https/http/crypto/url/child_process, AES-256-decrypt a URL constructed at runtime from four 32-byte hex Buffers, HTTPS-GET the payload (handling 301/302/303/307/308 redirects with exponential-backoff retries), write it under `os.tmpdir()/<name>-<pid>/`, chmod the file to 0755 (`chmodSync(file, 0o1ed)`), then execute it via `bash -c <file>` and additionally spawn a detached, `unref()`'d child with `stdio:'ignore'` and `windowsHide:true` for self-respawn / persistence. Obfuscation uses a string-array with numeric-IIFE shift, RC4-keyed base64 lookup, and an anti-tamper RegExp debugger self-test to hide the URL and command strings from static inspection. Importing this package — directly or as a transitive — executes attacker-controlled bytes on the installer's machine in any environment that loads the module (CI, build, production, developer workstation).

Compromised versions (1)

  • 3.1.12

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.