{"id":"MAL-2026-4345","summary":"Malicious code in eo-terminal (npm)","details":"Part of a multi-package malicious campaign by npm author `toskypi`, `eo-terminal` is a fully-featured infostealer and remote access trojan (RAT) disguised as \"terminal changelog logger utilities.\" The package README describes a completely different package (`terminal-logger-utils`), indicating a name-recycling or typosquatting attack. It is part of the same campaign as `logger-draft`.\n\nOn installation, a `postinstall` hook runs `utils.js`, which performs a sandbox check (aborts if CPU count ≤ 4 or no CPU model string), copies the 24,000-line `payload.js` to a persistent path named `MicrosoftSystem64`, registers it as a persistent service (systemd user service on Linux, LaunchAgent plist on macOS, scheduled task or `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` registry key on Windows), and launches the payload as a detached background agent — `process.exit(0)` is called immediately so the npm install completes with no visible errors.\n\n**C2 infrastructure:** Primary WebSocket/HTTP C2 at `ws://195.201.194.107:8010` (Hetzner Cloud, Germany). Stolen data is also exfiltrated to HuggingFace repository `yszf984308/system-release` via a hardcoded API token. C2 config strings are XOR-obfuscated with key `[90, 60, 126, 18, 159, 75, 109, 138]` and base64-encoded in `dist/config.js`.\n\n**Capabilities:**\n- **Keylogger** — full keystroke and password-field capture with an offline queue at `~/.pcl-data/offline-queue.jsonl` that drains automatically on C2 reconnect\n- **Clipboard harvesting** — polls every 1,000 ms via platform-native tools (`pbpaste`, `xclip`, PowerShell)\n- **Screenshot capture and live streaming** — one-shot and continuous AnyDesk-style streaming; periodic upload to HuggingFace\n- **Browser credential theft** — Login Data, Cookies, Web Data from all Chromium-family browsers; `logins.json`, `key4.db`, `cert9.db` from Firefox\n- **Crypto wallet exfiltration** — 20+ wallets including Exodus, Electrum, Phantom, Ledger Live, Trezor, Trust Wallet, Monero GUI, and Bitcoin/Litecoin/Dogecoin Core\n- **SSH backdoor** — exfiltrates `~/.ssh/` contents and appends attacker RSA key (`bink@DESKTOP-N8JGD6T`) to `authorized_keys`\n- **Shell history theft** — 15+ history file formats including `.bash_history`, `.zsh_history`, PowerShell `ConsoleHost_history.txt`, and `~/.atuin/history.db`; iterates all user home directories\n- **Environment variable harvesting** — targets API keys, tokens, and cloud credentials matching keywords such as `aws`, `github_token`, `npm_token`, `stripe`, `openai`, and `jwt`\n- **.env file theft** — reads the victim's project-root `.env` at install time\n- **Telegram session theft** — gzip-packs and uploads the full `tdata/` directory (up to 500 MB)\n- **Cloud credential theft** — `~/.aws/`, `~/.azure/`, `~/.kube/`, `~/.config/gcloud/`, `~/.docker/`, `~/.gnupg/`, `.git-credentials`, `.netrc`\n- **Recursive filesystem scan** — scans for certificates, key files, and credential-named files (`.pem`, `.key`, `.pfx`, `.kdbx`, `.ppk`, `wallet`, `mnemonic`, `seed`, etc.); uploads matches (up to 50 MB each) to HuggingFace\n- **Remote command execution** — arbitrary shell commands and full interactive terminal sessions\n- **Self-update** — polls HuggingFace for updated versions and deploys platform-native compiled binaries (`MicrosoftSystem64-win.exe`, `-linux`, `-darwin-x64`, `-darwin-arm64`)\n\n**Evasion:** The payload detaches from the npm install process immediately (no blocking output), masquerades as `MicrosoftSystem64` to blend into Windows system process names, abuses HuggingFace as a trusted exfiltration channel, and uses XOR+base64 obfuscation for all C2 config strings.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3a56d3d23a5c71474129a52aa4fc3a0e529cfd4bdfda56752be09694399bd127)\npackage.json declares `\"postinstall\": \"node utils.cjs\"`. utils.cjs is heavily obfuscated (obfuscator.io string array of ~1300 entries, hex-named accessors, RC4+base64 decoder `_d()`, debugger/anti-console traps with a 4-second setInterval). At install time it decrypts a hidden binary URL and bearer token, GETs a platform-specific executable from that URL with `Authorization: Bearer \u003cdecoded-token\u003e`, writes it into an app-data directory, chmods it 0o755, and spawns it detached with no integrity verification. After dropping the binary it installs OS-level persistence on every platform: a Windows `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` registry value via `reg.exe ADD`, a macOS LaunchAgent plist in `~/Library/LaunchAgents/`, and a systemd user `.service` + `.timer` in `~/.config/systemd/user/` enabled via `systemctl --user enable`. Re-execution gated on a `_postinstall_complete` argument ensures persistent relaunch across reboots. Package metadata further indicates deception: the published name is `eo-terminal` while README describes the package as `terminal-logger-utils` and claims 'zero runtime dependencies' contradicting the 9 dependencies declared in package.json. The combination of obfuscated install-time URL and token, opaque remote binary execution, multi-OS persistence, and name/README mismatch is unambiguous attacker behavior.\n\n## Source: ghsa-malware (db3aed88539d69dfa9e315ae1a0667b9b94219940f99c80a6d7d0972d37699f7)\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\n","aliases":["GHSA-29rh-48q6-xhpc"],"modified":"2026-05-26T09:46:42.578526436Z","published":"2026-05-22T14:23:42Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-004323","modified_time":"2026-05-23T12:44:06Z","source":"amazon-inspector","sha256":"454c0411a250b314825786d829095f874a44bf70d7a2823b3121067997c71f5c","versions":["3.2.1"],"import_time":"2026-05-26T05:52:22.604002399Z"},{"id":"IN-MAL-2026-004322","modified_time":"2026-05-23T12:44:02Z","source":"amazon-inspector","sha256":"1928a26838c726261816237118a5b9326f9ccbb134e7742150367d0da6040394","versions":["3.2.1"],"import_time":"2026-05-26T05:52:22.512535798Z"},{"id":"IN-MAL-2026-004215","modified_time":"2026-05-22T14:23:43Z","source":"amazon-inspector","sha256":"2635433ada8920f14d91950ffd400e4b92fea2987260dc259dec240260942a9d","versions":["3.2.0"],"import_time":"2026-05-26T05:52:10.236174336Z"},{"source":"amazon-inspector","modified_time":"2026-05-22T14:23:42Z","import_time":"2026-05-26T05:52:10.136494813Z","id":"IN-MAL-2026-004214","versions":["3.2.0"],"sha256":"3a56d3d23a5c71474129a52aa4fc3a0e529cfd4bdfda56752be09694399bd127"},{"import_time":"2026-05-26T09:28:44.433803064Z","modified_time":"2026-05-26T09:20:23Z","source":"ghsa-malware","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"sha256":"db3aed88539d69dfa9e315ae1a0667b9b94219940f99c80a6d7d0972d37699f7","id":"GHSA-29rh-48q6-xhpc"}]},"references":[{"type":"WEB","url":"https://x.com/safedepio/status/2058848260845076651"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/eo-terminal/v/3.2.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/eo-terminal/v/3.2.0"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-29rh-48q6-xhpc"}],"affected":[{"package":{"name":"eo-terminal","ecosystem":"npm","purl":"pkg:npm/eo-terminal"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["3.2.1","3.2.0"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"91f1874a66176a618df093a0a34b5226daaf61a77341d570fabcc0993f37015c033dee","sha256":"d2eb448fe47789aafbbde0ee70f297270fbfa659a45f755d00e4104bf028eb65","path":"utils.js"}],"package_integrity":[{"hashes":{"sha1":"adf1a349bdc7098e3fadde9cd01d3dc9258a8f06","sha512_sri":"sha512-teCH6mS4QW5kIdkOoXT32echnBlw8H80aZazIv5d6aeZf3K96U0eKXgdAzSjKrOm64AvRu72JXcYsy7XX9CXmA=="},"filename":"eo-terminal-3.2.1.tgz"}],"domains":["34.8.16.104.in-addr.arpa"]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eo-terminal/MAL-2026-4345.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}