npm · Malicious package advisory
Malware@thone33/core-utils
MAL-2026-6564
Malicious code in @thone33/core-utils (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (05561d1a31165dab72c5090437ccfa7a85035a2b4fdf6a646eca59b62dd87120)
@thone33/core-utils 1.0.4 is a loader stub. Its main entry (index.js) imports `activate` from the same-author dependency `@thone33/analytics-injector` and invokes it at module top level whenever `process.env.NODE_ENV === 'production'`. The author's own inline comment describes this as silently activating a payload in production ('ATIVA O PAYLOAD SILENCIOSAMENTE (em produção)'). The package is advertised as 'Core utilities', which does not justify production-gated invocation of an 'analytics-injector' dependency. The NODE_ENV=production gate is a developer-laptop-dormant / production-fires evasion pattern: consumers' local dev and CI environments see nothing, while deployed production processes execute whatever code the author publishes under @thone33/analytics-injector. Because the injector is in the same author scope and pinned as `^1.0.0`, the author can ship arbitrary additional code into consumers' production runtimes via a minor/patch release without any change to this package.
Compromised versions (6)
- 1.0.4
- 1.0.0
- 1.0.3
- 1.0.1
- 1.0.5
- 1.0.2
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.