VYPR

npm · Malicious package advisory

Malware

@vraksha/gh-helper

MAL-2026-7016

Malicious code in @vraksha/gh-helper (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8c867b4c68acc159dea1bbd580c5de3f3c9fef7bd1f54cd48a02c59631ffda12)
On `npm install`, the package's postinstall hook runs index.js, which performs an HTTPS GET to https://http-logger-production.up.railway.app/payload, base64-decodes the response body (Buffer.from(data.trim(), 'base64').toString('utf-8')), and passes the decoded string to child_process.execSync with { shell: '/bin/bash' }. This is a fetch-decode-exec dropper: the executed content is attacker-controlled, mutable, and opaque, and it runs automatically at install time with the installer's privileges. No legitimate purpose (no shipped native source requiring a build, no vendor-matched SDK, no pinned artifact) justifies this pattern.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.