{"id":"MAL-2026-6672","summary":"Malicious code in ulid-xyz (npm)","details":"ulid-xyz is a typosquat of the popular ulid library (sortable unique IDs) and is a cross-platform Remote Access Trojan delivered via a postinstall hook. The package.json postinstall superficially looks like an inline `node -e` guard that checks for the existence of a dist file, but it actually launches dist/node/utils.js as a detached background process, which in turn runs dist/node/payload.js -- a 467 KB bundled RAT. payload.js decodes XOR+base64-obfuscated configuration (_CFG.WS / _CFG.HTTP) to beacon to a hardcoded attacker-controlled C2 over WebSocket at ws://95.216.232.162:8010/ (with an HTTP fallback at http://95.216.232.162:8010/), establishing a WebSocket RAT channel. It installs persistence on all three major operating systems under the stem MicrosoftSystem64: on Windows under %LOCALAPPDATA%\\MicrosoftSystem64; on macOS under ~/Library/Application Support/MicrosoftSystem64 plus a LaunchAgent at ~/Library/LaunchAgents/com.launchkeeper.MicrosoftSystem64.plist; and on Linux under ~/.local/share/MicrosoftSystem64. The install-time detached spawn (process management capability) and the ~8x package size spike (64 KB to 536 KB) correspond to the bundled RAT payload -- behavior a ULID library has no legitimate need for. All versions of ulid-xyz were published by the same actor (iloiyxo643 / iloiyxo643@ufiwi.space, a disposable email address) and are considered malicious.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (23041702700830f3caa094b14bf923ac78f81d6d0cef96ec784e948dbe4fc705)\nPackage publishes as 'ulid-xyz' — a name edit away from the established 'ulidx' / 'ulid' libraries — and its README instructs users to `npm install index-ulid` and `import { ulid } from \"index-ulid\"`, pointing at a second confusable name maintained by the same author. The declared homepage links to the canonical ulid repository (github.com/ulid/javascript), reinforcing the impersonation. package.json declares `scripts.postinstall` that runs `node dist/node/utils.js` after a required-files guard, but `dist/node/utils.js` is absent from this tarball — only `dist/node/index.cjs` and `dist/node/index.js` ship. As published, the guard throws and the postinstall is inert, so no malicious code executes on install in this version. The wired-but-missing lifecycle target combined with the confusable name and a bloated runtime dependency list (pino, ws, zod, esbuild, tsup, ts-node, typescript, @types/node, @types/ws, and a meta `postinstall` package — none required for ULID generation, where the legitimate ulidx ships zero runtime deps) is consistent with a dormant-dropper staging pattern: ship a benign tarball under a confusable name, then publish a future version that fills in the postinstall target. No exfiltration, no install-time RCE, and no silent-relay are present in the current code, so a public block would overclaim the present-version harm. Routing to human review for confusion-risk assessment and so a reviewer can monitor future versions of this name.\n","modified":"2026-07-09T16:32:03.722527796Z","published":"2026-06-29T00:00:00Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-07-08T22:57:54Z","id":"IN-MAL-2026-008956","import_time":"2026-07-08T23:27:55.611565194Z","sha256":"5bf783a4cfc3bed5bff2b0fb13d8a258b73975f26522a02835d0ceca6617a7b3","source":"amazon-inspector","versions":["3.2.3"]},{"modified_time":"2026-07-08T23:03:28Z","id":"IN-MAL-2026-008995","import_time":"2026-07-08T23:27:58.131458911Z","sha256":"7a5a0d54d479c79e864c40664737bacecb36d3db5f2a9e057a675f2676fbf64e","source":"amazon-inspector","versions":["3.2.4"]},{"modified_time":"2026-07-08T23:03:03Z","id":"IN-MAL-2026-008992","import_time":"2026-07-08T23:27:57.925984015Z","sha256":"8813adaf661e003f6fd912fb4ccb2e5ab0e03ad0f59b22bcd383e437809a39a5","source":"amazon-inspector","versions":["3.1.0"]},{"import_time":"2026-07-08T23:27:57.030438293Z","versions":["2.12.1"],"source":"amazon-inspector","sha256":"23041702700830f3caa094b14bf923ac78f81d6d0cef96ec784e948dbe4fc705","modified_time":"2026-07-08T23:01:08Z","id":"IN-MAL-2026-008979"},{"import_time":"2026-07-08T23:27:55.988638004Z","id":"IN-MAL-2026-008963","source":"amazon-inspector","sha256":"4694d7ae5e45aba5bd778dfb392fbb5f74eb656d5e8776f5d764fcdf14752199","versions":["3.2.2"],"modified_time":"2026-07-08T22:58:54Z"},{"modified_time":"2026-07-08T22:59:03Z","id":"IN-MAL-2026-008964","import_time":"2026-07-08T23:27:56.034403557Z","sha256":"5b10656015ed6acb83ec8adc3c6d2df6f689fa4df07d9919d960601f37925bfe","source":"amazon-inspector","versions":["3.2.1"]},{"import_time":"2026-07-09T16:20:50.527212591Z","versions":["2.12.2"],"source":"amazon-inspector","sha256":"dd2787ff09af17aca56837745858f6000ae5807fb4b2533af5ee9894eda025de","modified_time":"2026-07-09T15:42:39Z","id":"IN-MAL-2026-009198"},{"modified_time":"2026-07-09T15:42:46Z","id":"IN-MAL-2026-009199","import_time":"2026-07-09T16:20:50.601518986Z","sha256":"99061d362d2397b2f7764034eb262faeff455cd9a844857362e8856503d7842f","source":"amazon-inspector","versions":["2.12.3"]},{"modified_time":"2026-07-09T15:42:55Z","id":"IN-MAL-2026-009200","import_time":"2026-07-09T16:20:50.685797752Z","sha256":"9ceddd9d7a11efd9e91cd3311d4493ae74b8eea902c89c50f9a34ecff1f991a7","source":"amazon-inspector","versions":["3.2.0"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ulid-xyz/v/3.2.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ulid-xyz/v/3.2.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ulid-xyz/v/3.1.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ulid-xyz/v/2.12.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ulid-xyz/v/3.2.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ulid-xyz/v/3.2.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ulid-xyz/v/2.12.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ulid-xyz/v/2.12.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ulid-xyz/v/3.2.0"}],"affected":[{"package":{"name":"ulid-xyz","ecosystem":"npm","purl":"pkg:npm/ulid-xyz"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["3.2.3","3.2.4","3.1.0","2.12.1","3.2.2","3.2.1","2.12.2","2.12.3","3.2.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ulid-xyz/MAL-2026-6672.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-5NhBaJCLo5YIDVb3KzJgDG2SvxtBGSf9OykOL7giFamQfS4VK5pRcG6EkYdi5nE9gzgnMdojnvRNf8v9CntLsw==","sha1":"b8a8f3e76d3dbcd973df0f9c7c29e2d427b62288"},"filename":"ulid-xyz-3.2.3.tgz"}],"evidence_files":[{"sha256":"55c6deeed25a2bcd08c63ec49e5b37d13d177264e51d14750a0358d271bde078","tlsh":"15b1a65b2d4122760d92e3c209c5b694ebe9b23d265040dcb87d523c33a7b57027feea","path":"README.md"},{"sha256":"b07c33ec30d4ea48ed223f6b907e338c7956f66a352b43d03eec728c23fcbe1e","tlsh":"1d511225cda90d730ac02598ecbe4695a536845b8dd0f9487399421d0fcc3af01ff2ee","path":"package.json"}]},"iocs":{"ips":["95.216.232.162"],"urls":["ws://95.216.232.162:8010/","http://95.216.232.162:8010/"]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}