package-uploader @1.3.25

Summary

package-uploader@1.3.25 ships an install-hook.js that runs automatically as the npm postinstall script (package.json declares "postinstall": "node install-hook.js"). The hook embeds a 383KB base64 string (LAUNCHER_BIN_BASE64), XOR-decrypts it with key 0x42, writes the result to %TEMP%/tmp_<timestamp>.exe, and launches it detached via spawn('cmd', ['/c', 'start', '/b', TEMP_EXE], { detached: true }) — a classic obfuscated-binary dropper executed on every npm install . After dropping the payload, a detached cleanup process waits ~90 seconds and then edits the victim's package.json and package-lock.json to remove the dependency entry (the cleanup code references the name mailconfirmer , indicating the campaign re-publishes under rotating names) and recursively deletes the installed module directory; if direct deletion fails, it registers a Windows scheduled task via schtasks /create to remove the directory later. The package's stated purpose is a UI navbar library and the index.js entry point exports only theme colors as a decoy — completely unrelated to executing a Windows binary. The combination of name/description/decoy-main mismatch, embedded XOR-encrypted PE payload, automatic postinstall execution, and anti-forensics manifest tampering is an unambiguous supply-chain dropper.

Source: amazon-inspector (69b86134d9cd019c2d8ad172eed54cd4a48839d69ed2c6af52b79ef5080da765)