VYPR

npm · Malicious package advisory

Malware

npm-rce-poc

MAL-2026-7019

Malicious code in npm-rce-poc (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6365312ad1339c7d5539f594b9e472ea3f10401fa356fe49766de887368e87c9)
Package declares a `postinstall` lifecycle script that, on `npm install`, fetches a script over plain HTTP from a hardcoded bare IP (http://115.190.124.243:8761/slt on Unix,.../swt on Windows) and immediately executes it — piping to `sh` on Unix and writing to `C:\Users\Public\run.bat` via certutil then invoking it on Windows. The package presents itself as `date-fns-lite`, a lookalike of the popular date-fns library, and ships a benign-looking date-formatting index.js as cover; the actual behavior is an install-time dropper that hands remote code execution to the operator of 115.190.124.243 against every installer. No pinning, no integrity check, no TLS.

Compromised versions (1)

  • 1.0.13

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.