{"id":"MAL-2026-10404","summary":"Malicious code in @ica-gaming/slot-engine (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (504d38d63d27d90e825007078cde3c381daa6cfa73a8009797c60f3e889c44d0)\nThe package presents itself as a deterministic WASM slot-math engine, but slot_engine.wasm embeds obfuscated Node.js modules and Emscripten JS shim helpers that implement a full remote-access and credential-theft toolkit against the consumer host. On invocation, an embedded module opens a Node `require`/`createRequire` context, POSTs an installer-identifying id to a remote HTTPS endpoint on a jittered polling loop, and executes the returned code via `new Function(code)(require)` — giving the operator arbitrary code execution on every poll. WASM-imported helpers additionally: download a Windows `.exe` installer over HTTPS (following redirects) to a temp path and spawn it detached with the silent-install flag `/S`; fetch and extract a macOS `.pkg` via `xar -x`; and write `#!/bin/sh` + `exec node` polyglot wrapper scripts with mode 0755. Separate helpers enumerate Chromium-family and Firefox-family browser profile directories (Chrome, Brave, Edge, Opera, Vivaldi, Chromium, Firefox, Waterfox, LibreWolf, Pale Moon) for Login Data / logins.json / Cookies / Local Storage / IndexedDB / extension wallet stores, walk the home directory for wallet/keystore/.dat files, and read shell-history dotfiles, then package matching content for exfiltration through the C2 channel. The Emscripten shim and both embedded ES modules are obfuscator.io-transformed (rotated base64 string arrays, dispatchers, arithmetic-noise constants, self-defending IIFE); legitimate Emscripten output is not obfuscated. Cover strings such as 'Compiling engine dependencies. This may take a while on initial startup...' are embedded to disguise payload staging as normal engine initialization.\n","modified":"2026-07-13T07:47:06.092747044Z","published":"2026-07-13T07:03:37Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-07-13T07:40:13.569689775Z","versions":["1.1.0"],"id":"IN-MAL-2026-009856","modified_time":"2026-07-13T07:03:37Z","source":"amazon-inspector","sha256":"504d38d63d27d90e825007078cde3c381daa6cfa73a8009797c60f3e889c44d0"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@ica-gaming/slot-engine/v/1.1.0"}],"affected":[{"package":{"name":"@ica-gaming/slot-engine","ecosystem":"npm","purl":"pkg:npm/%40ica-gaming/slot-engine"},"versions":["1.1.0"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@ica-gaming/slot-engine/MAL-2026-10404.json","indicators":{"evidence_files":[{"path":"slot_engine.wasm","tlsh":"7153f9463ec46984730aa5b7360bb0f5fb670c447558669ee7087cb1bcbb916e6c2b30","sha256":"64d3214cd7b1a7ef232edcd84b28d0bf23cc58a786f705c5da9be8e0f5a8f5a0"},{"path":"slot_engine.js","tlsh":"de14b44476c53d8263475ffb372bb0c4f96aaeae3844445b8018fd847ae6637e4e1a31","sha256":"2371217a8c6428d6368d729a2c2880138e28634243146314c5e5cedcd96f8374"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-o0moe4ilfXuFQzm2QcmXSAQRKXtsFdoeiQxOK67kSaSr8PQ154JFe/7xOeQFAePN9gpA807NYyPaA4/RPkTeyA==","sha1":"e955b000ff1404e74fb8ace74b4445411c6e1852"},"filename":"slot-engine-1.1.0.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}