VYPR

npm · Malicious package advisory

Malware

@thone33/core-utils

MAL-2026-6564

Malicious code in @thone33/core-utils (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (05561d1a31165dab72c5090437ccfa7a85035a2b4fdf6a646eca59b62dd87120)
@thone33/core-utils 1.0.4 is a loader stub. Its main entry (index.js) imports `activate` from the same-author dependency `@thone33/analytics-injector` and invokes it at module top level whenever `process.env.NODE_ENV === 'production'`. The author's own inline comment describes this as silently activating a payload in production ('ATIVA O PAYLOAD SILENCIOSAMENTE (em produção)'). The package is advertised as 'Core utilities', which does not justify production-gated invocation of an 'analytics-injector' dependency. The NODE_ENV=production gate is a developer-laptop-dormant / production-fires evasion pattern: consumers' local dev and CI environments see nothing, while deployed production processes execute whatever code the author publishes under @thone33/analytics-injector. Because the injector is in the same author scope and pinned as `^1.0.0`, the author can ship arbitrary additional code into consumers' production runtimes via a minor/patch release without any change to this package.

Compromised versions (6)

  • 1.0.4
  • 1.0.0
  • 1.0.3
  • 1.0.1
  • 1.0.5
  • 1.0.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.