@oliviamcdaniel12/safer-buffer @2.2.1
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10442
Ecosystem
npm
Summary
Package impersonates the popular safer-buffer module. On require(), safer.js reads a PID from Porting-Buffer.md and, if that process is not alive, spawns node tests/safer-buffer.min.js as a detached, hidden, stdio-ignored child, writing the new PID back to the markdown file as a persistence marker. The spawned tests/safer-buffer.min.js is a heavily obfuscated (obfuscator.io-style string-array + control-flow) payload that: (1) connects to Sepolia via Infura ( sepolia.infura.io/v3/dc7257d09fab42eca2c354c32fec1938 ) and Alchemy ( eth-sepolia.g.alchemy.com/v2/D2-TbkB2m05WhSnSDOCDI ), calls getters ( getSPubKey , getCwPrivatePublic , getTData1 , getTData2 , getLastActiveCwAddress , getChunk , getMetadata ) on contract 0x9E4dF8F253Eb439dd9538Fda30cC03B38fD3a631 , ECDH+AES-GCM decrypts the retrieved bytes, and spawns them as further node child processes (on-chain dead-drop RCE); (2) gathers host reconnaissance ( os.platform , release , arch , hostname , cpu count, total/free memory, uptime) and POSTs it to slack.com/api/chat.postMessage (channel C0ATC9UKKA4 ) with an embedded xoxb-... bot token, and to api.telegram.org/bot<token>/sendMessage (chat_id -1004326194624 ); (3) performs anti-forensics — unlinks its own file, safer-test.min.js , safer.min.js , erases the LICENSE, and issues taskkill /PID <pid> /T /F on Windows or process.kill(pid, 'SIGTERM') on POSIX against the prior stored PID, then process.exit(1) . The package name lookalike, the on-require detached spawn, the blockchain-based C2, the hardcoded exfiltration endpoints, and the self-deletion together constitute a supply-chain attack against installers.
Source: amazon-inspector (55129478b44191f3a4bb3308036567d5e2eb1a73084511b424917b6b5f7bf50f)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.