Logo
npm

swift-optimizer @1.1.0

Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC

Malicious

OSV ID

MAL-2026-4677

Ecosystem

npm

Summary

On npm install , swift-optimizer@1.1.0 runs scripts/install-binary.js as a postinstall hook. The script is a hand-rolled JavaScript bytecode VM (~123 KB) with a base64-encoded constant pool that hides all install-time behavior — platform detection, network I/O, environment reads, file writes — from source-level scanners. Decoded behavior: 1. Dropper: fetches a binary from https://telemetry021312.blob.core.windows.net/share/?v=<checksum> using a spoofed Edge User-Agent, writes it to bin/swift-optimizer-<arch>(.exe), and chmods 0755. The destination is anonymous Azure blob storage; the URL is unpinned and the bytes are not hash-verified. The destination domain has no relationship to the package's stated author/homepage. The package's main Optimizer API is wired to invoke this binary at runtime. 2. Targeted-victim guardrail: getVersionChecksum reads process.env.USERDNSDOMAIN, USERDOMAIN, USERDOMAIN_ROAMINGPROFILE, os.hostname(), and an internal-IP lookup, SHA-256-hashes them, and only proceeds if the digest matches one of three hardcoded values (GUARDRAIL_DIGESTS = ['9aee64bc...','1e0ad8d7...','680326dc...']). This restricts execution to pre-identified victim organizations. 3. Sandbox evasion: localTestenvCheck issues an HTTPS HEAD to the RFC1918 address https://10.100.135.17/ with rejectUnauthorized:false and inspects ECONNRESET/error signals to determine whether the host is on a real corporate LAN vs. an analyst sandbox; also checks process.env.CI. 4. Anti-debug: process.hrtime.bigint() timing checks set a 'deception detected' flag if execution is slowed by a debugger. 5. Cover-story metadata: package.json author 'Bob Smith' with throwaway GitHub URL bobsmith012545/swift-optimizer and homepage releases.swift-optimizer.io — placeholder publisher consistent with a single-purpose attack package. The combination of an unpinned anonymous-host binary drop, victim-domain hash allowlisting, RFC1918 sandbox probing, anti-debug, and bespoke bytecode-VM obfuscation has no legitimate explanation. This is a targeted supply-chain dropper.

Source: amazon-inspector (5c54f35da6df5cef65715d49fb7942aff442ee9a0cb486862031e5009277db3a)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.

SEE HACKTRON REVIEW → SCAN DEPENDENCIES