OSV ID
MAL-2026-10451
Ecosystem
npm
Summary
Package name typosquats the legitimate gifuct-js GIF parser and re-exports it as cover. On module load, code reconstructs the host filament-zap.vercel.app and paths /service/assets/fetchBinary / /service/assets/fetchLinuxBinary from String.fromCharCode numeric arrays, downloads a platform-specific executable, writes it to a WinMetrics / WinService.exe path under the user data directory, chmods it 0755 on Linux, and spawns it detached with stdio ignored and unref'd. The payload is fetched over an obfuscated, unpinned URL with no hash or signature verification, and the download-and-execute path is unrelated to the advertised GIF-parsing purpose.
Source: amazon-inspector (965f65127a6b6d2a6865e91efe6a878ae1e076b9ef4de23152aef4ee6080038b)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.