check-ulid @3.0.2

Summary

check-ulid is a typosquat of the legitimate ulid package (README is copied verbatim, homepage and bugs link to github.com/ulid/javascript) whose postinstall script ( node dist/node/utils.js ) drops and persists a remote-control agent on the installer's machine. utils.js re-spawns itself detached via spawn(process.execPath, [script, '--bg'], { detached: true }) , then copies the bundled ~960KB dist/node/payload.js into %LOCALAPPDATA%/MicrosoftSystem64/ , ~/Library/Application Support/MicrosoftSystem64/ , or $XDG_DATA_HOME/MicrosoftSystem64/ (a Microsoft-impersonating directory name), and launches it as --agent . Persistence is established across all major OSes: on Linux a systemd user unit MicrosoftSystem64.service is written with ExecStart=node payload.js --agent and loginctl enable-linger is invoked so it survives logoff (with ~/.config/autostart/MicrosoftSystem64.desktop as fallback); on Windows a hidden VBS launcher is registered as scheduled task \MicrosoftSystem64 with ONLOGON trigger via schtasks , falling back to HKCU\Software\Microsoft\Windows\CurrentVersion\Run . The dropped payload.js bundles a ws WebSocket client/server, references https://huggingface.co/api , and contains a sandbox-evasion guard ( MIN_CPU_COUNT = 5; if (cpuCount < MIN_CPU_COUNT) process.exit(0) ) that exits silently on small CI/analysis VMs. Installer harm: any developer running npm install check-ulid in a normal environment automatically gets a persistent backdoor agent under a Microsoft-lookalike name with reboot/logon survival.

Source: amazon-inspector (ea848e496c2022409208a3e4a7d9b364c9437699a15554a5a1ee953d4428f230)