VYPR

npm · Malicious package advisory

Malware

log-taker1

MAL-2026-6690

Malicious code in log-taker1 (npm)

Details

Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. `log-taker1` embeds a full infostealer (~2800 lines) directly in `index.js`, executed at install time via `postinstall: node test.js`. The payload harvests cryptocurrency wallet vaults (MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, TronLink), browser cookies and credentials, SSH keys, AWS credentials, `.npmrc` tokens, Docker config, shell history, and password manager databases, exfiltrating all data to the C2 domain `log-taker.store`. The C2 is shared with the `rohmat2527` maintainer account.

---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1cb455347231cee7751b1f84a97c50feab599fef0df9feece7cf4d646e1f5beb)
log-taker1@0.1.0 ships an index.js that requires child_process and invokes execSync('bash...') and execSync('zsh...') to shell out at load time. The package name ('log-taker') combined with direct execSync calls against both bash and zsh is consistent with shell-history collection — reading.bash_history /.zsh_history (or piping `history` / `fc -l` through the shell) — for off-host exfiltration. Shell history routinely contains credentials, tokens, connection strings, and hostnames, so harvesting it is credential theft regardless of any 'logging'/'backup' framing implied by the package name. The traced content also tripped the provider's malware-output safety filter, which corroborates that the code reads as operational credential-harvest logic rather than benign shell invocation.

Compromised versions (1)

  • 0.1.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.