velocityfix @1.0.4

Summary

Package masquerades as 'Performance fixes for Minecraft Velocity proxy' authored by 'Velocity Team' — Velocity is a Java project from PaperMC and has no legitimate npm distribution. package.json declares scripts.postinstall = 'node scripts/loader.js', which silently spawns a bundled payload.exe via start /b on every npm install . The bundled PE contains a hardcoded C2 at https://751.lol/upload/ and posts a multipart form with fields username , os_info , ip_address , and file=data.zip — exfiltrating the installer's hostname, OS, IP, and a zip of collected files to an attacker-controlled host. The payload labels itself [INJECTOR] , reads registry values (ProductName, DisplayVersion), and performs sandbox / VM evasion (probes for SbieDll.dll, snxhk.dll, Vboxguest.sys, vmGuestLib.dll, VMware/VirtualBox artifacts) so it only fully detonates on real victim hosts. The combination of brand-impersonation lure, install-time auto-execution of an opaque native binary, hardcoded exfil endpoint, and anti-analysis evasion is an unambiguous Windows-targeted supply-chain dropper.

Source: amazon-inspector (c937a54c3629f80fb7b92fbdafda502706b6028b43bc4675eb30c55d9bc059e9)