npm

electron-orbit @1.0.36

Vulnerability report · Last retrieved from osv.dev July 2, 2026 at 1:05 AM UTC

Malicious

OSV ID

MAL-2026-6723

Ecosystem

npm

Summary

On require('electron-orbit') , the module unconditionally fires an auto-prefetch pipeline in Node contexts (when no document is present) that opens a raw node:net socket to electronorbit.blob.core.windows.net:443 and speaks a hand-written TLS 1.3 stack (custom ClientHello, HKDF key schedule, AES-128-GCM in aetherls.ts) rather than using https , bypassing standard TLS interception and static inspection. Every network-related string — the Azure hostname components, node:net , connect , ALPN http/1.1 , HTTP request line, marker filename, and process.env enumeration keys — is XOR-obfuscated through a helper __s(key, arr) . The postinstall script install.js writes an install marker to os.tmpdir()/electron_orbit_install_marker.txt containing process.env entries whose keys match path (PATH-family variables) plus process.cwd() , and separately stages os.hostname() , os.userInfo().username , process.version , platform and arch into a decoy file under bin/formatters/ prefixed with a fake native-binary magic byte. On require , index.ts reads the tmpdir marker, XORs it with the string electron-orbit , hex-encodes it, and appends the result as a query-string suffix to the Azure blob URL, so the storage account's HTTP request logs capture the installer's PATH-family environment and working directory. Activation is gated: the destination host is only populated when the SHA-256 of process.env.BuildType is a substring of a hardcoded 64-hex constant ( 0ceaa396…8295 ); otherwise the source is set to %TEMP% and the request fails to resolve, keeping the payload dormant on non-targeted installers and firing only when a specific env var is set (e.g., in a chosen CI environment). The advertised purpose (Electron-style runtime discovery) has no relationship to icon fetching or SVG rendering; the icon surface is a pretext — getRegisteredIcon returns a hardcoded empty <svg> regardless of the network response.

Source: amazon-inspector (7faf51a6c9d6ed9fce8cf9de9ea8afee0e9c3dc1fb254e8cd0c3c2a8ca61323f)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.