OSV ID
MAL-2026-6687
Ecosystem
npm
Summary
On Windows, installing procwire@2.0.0 automatically downloads and executes an attacker-controlled executable. The package.json preinstall script runs lib/setup.js, which platform-gates to win32, then constructs a download URL by XOR-decoding values pulled from two floating-version sibling packages ( endpointmap: "*" and bytecraft: "*" ) — splitting the C2/payload reference across separate packages so it can be rotated post-publication without modifying procwire itself. lib/worker.js obfuscates every sensitive identifier through String.fromCharCode.apply(null, [...]) arrays — the strings 'https', 'child_process', 'spawn', 'curl.exe', 'bitsadmin', 'powershell.exe', 'cmd.exe', ':Zone.Identifier', the fake update filename prefixes, and the Microsoft-Delivery-Optimization/10.0 User-Agent are all assembled at runtime to defeat static analysis. The download uses a three-tier fallback (Node https, curl.exe, bitsadmin) with TLS verification disabled ( rejectUnauthorized: false ) and ranged-resume support, saves the binary to %LOCALAPPDATA%\Temp under names such as msedge_update_*.exe , chrome_installer_*.exe , or teams_update_*.exe , strips the Mark-of-the-Web :Zone.Identifier alternate data stream to bypass SmartScreen, then spawns the executable hidden and detached ( detached: true, stdio: 'ignore', windowsHide: true ). The advertised purpose of procwire is a process-IPC library, which has no need to fetch or execute any external binary. The combination — preinstall lifecycle hook, win32 gating, split-payload URL via wildcard siblings, identifier obfuscation, TLS-verify disabled, fake update filenames, MOTW stripping, hidden execution — is unambiguous malware behavior.
Source: amazon-inspector (011cf28d546459d946b1ed6d92c3beb4cb7c5322d6a9370d52fcd40e9a81ac2f)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.