npm · Malicious package advisory
Malware@vraksha/gh-helper
MAL-2026-7016
Malicious code in @vraksha/gh-helper (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (8c867b4c68acc159dea1bbd580c5de3f3c9fef7bd1f54cd48a02c59631ffda12)
On `npm install`, the package's postinstall hook runs index.js, which performs an HTTPS GET to https://http-logger-production.up.railway.app/payload, base64-decodes the response body (Buffer.from(data.trim(), 'base64').toString('utf-8')), and passes the decoded string to child_process.execSync with { shell: '/bin/bash' }. This is a fetch-decode-exec dropper: the executed content is attacker-controlled, mutable, and opaque, and it runs automatically at install time with the installer's privileges. No legitimate purpose (no shipped native source requiring a build, no vendor-matched SDK, no pinned artifact) justifies this pattern.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.