@dervix/ws @8.21.4

Summary

Package @dervix/ws impersonates the popular ws WebSocket library — package.json copies the legitimate ws project's homepage ( https://github.com/websockets/ws ), repository, and author metadata while publishing under an unrelated scope. lib/websocket.js appends ~130KB of heavily obfuscated code after the genuine socketOnError function; this payload executes at require() time via index.js . On import the payload (1) re-spawns the current Node process detached with stdio:'ignore' and windowsHide:true , gated by an obfuscated marker env var so the parent returns cleanly while a daemonized child continues; (2) constructs an AES-256 key by XOR-combining four hardcoded hex Buffers; (3) issues an HTTPS GET (following 3xx redirects) to an encrypted-in-source URL, streams the response to a file under os.tmpdir() , and decrypts it via createDecipheriv ; (4) fs.chmodSync(path, 0o755) and child_process.spawn(path,...) with detached:true then unref() s it. Dynamic import('child_process') / import('path') is used to defeat static require audits, and an inspector.url() check short-circuits execution when a debugger is attached. There is no signature verification, no version pinning, and the destination URL is RC4-decoded at runtime so it cannot be inspected statically. Combined with the cloned ws metadata, this is a deliberate typosquat dropper that lands and executes attacker-controlled binary code on any machine that installs and imports the package.

Source: amazon-inspector (79b9ab7431b1a6a1250c089e2ea33f54ad92313f587fbd2aabc020c12be55f69)