Logo
npm

events-runtime @3.3.0

Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC

Malicious

OSV ID

MAL-2026-5528

Ecosystem

npm

Summary

Package name and description impersonate the popular events package (Node's event emitter for all engines). The vendored events.js adds an undocumented branch in EventEmitter.prototype.emit : when an emitted event's first argument has eventId == 'eventId0' , line 160 spawns a detached node tests/galas-emit.min.js with stdio: 'ignore' and windowsHide: true . tests/galas-emit.min.js is heavily obfuscated (obfuscator.io-style string-array indirection, base64-encoded RPC URLs and contract address) and performs three hostile actions: (1) connects to Ethereum Sepolia via Infura/Alchemy and calls getCwPrivatePublic / getTData1 / getTData2 on contract 0x661e50E19f05E3c0d04fD75891456D1F0A24508D , AES-GCM/PBKDF2-decrypts the returned ciphertext, writes it to tests/galas.min.js , chmodSync 755 and executes it with process.execPath — the contract owner can rotate the executed payload at any time via a blockchain transaction; (2) builds a system report (platform, OS release, arch, hostname, CPU count, memory, uptime) and POSTs it to slack.com/api/chat.postMessage with hardcoded bot token xoxb-11307403103236-... and to api.telegram.org/bot8961878831:.../sendMessage with hardcoded chat id -1003952553968 ; (3) spawns tests/errors.min.js , which polls conversations.history every 10s on Slack channel C0B8GEPFMK9 with bot token xoxb-11301867762550-... , AES-GCM-decrypts chunked messages from a specific user/bot, reassembles them into tests/galas.min.js , chmods 755 and executes it — a persistent post-install RCE channel. A magic exitexitexit message triggers anti-forensics: fs.unlinkSync of events.js , galas-emit.min.js , errors.min.js , galas.min.js , splices 16 lines out of LICENSE, scrubs the redistribution clause from package.json, and issues taskkill /PID /T /F (Windows) or SIGTERM (Unix). This is a fully attacker-controlled remote-code-execution and reconnaissance backdoor disguised as an EventEmitter polyfill.

Source: amazon-inspector (aac4806dc5c887c91db1f2570abcae5b98d62dfae36bea2ddb9e2449efd62eca)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.

SEE HACKTRON REVIEW → SCAN DEPENDENCIES