npm · Malicious package advisory
Malwarepkg-fallback
MAL-2026-6570
Malicious code in pkg-fallback (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (c97ea590e70f499f40938e093cd6a09a13b95030872968b5d325fee8a595f31c) Package advertises itself as a small string-manipulation library (trim, case, pad, wrap) but its install-time behavior is a dropper. package.json declares a direct dependency `native-bridge` as `http://157.254.194.200:8080/native-bridge-1.0.0.tar.gz` — a plain-HTTP tarball on a bare IP unrelated to any publisher. On `npm install`, npm fetches that arbitrary tarball and installs it into the consumer's node_modules tree, running its own lifecycle scripts. Additionally, the declared postinstall script (`scripts/check-binary.js`) downloads a second tarball, `npm-dependency-payload-1.0.0.tar.gz`, over plain HTTP from the same bare IP and writes it to `.cache/native.tgz` with errors silently swallowed. Neither fetch is pinned, hash-verified, or sourced from publisher infrastructure, and the shipped tarball contains no native source code that would justify a native-bridge dependency. The string-utility cover story is inconsistent with the install-time behavior, which is the deliberate-evasion shape of a supply-chain dropper.
Compromised versions (1)
- 1.1.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.