VDB
KO

MAL-2026-10402

Malicious code in @gleamkit/ws (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8fc9213fe9e786988b3fd882b571f03aeaa1487b8006badb837b4e804da66eee) The package publishes under scope `@gleamkit/ws` while copying the `ws` package's description, homepage, repository, author, and README verbatim, and bundling the legitimate `ws` source so it appears functional. Appended to `lib/websocket.js` after the copied WebSocket implementation is a heavily obfuscated payload (base64+RC4 string decoder over a ~700-entry rotated string array, hex-named identifiers, duplicated as two sequential IIFEs) that reconstructs hostnames, paths, environment keys, and spawn arguments at runtime. On every load — `index.js` (main) and `wrapper.mjs` both pull in `./lib/websocket` — the payload issues an HTTPS request to fetch an external binary, AES-256-GCM decrypts it, writes it under `os.tmpdir()`, chmods it to 0o755, and spawns it as a detached, `unref()`ed child process with `windowsHide:true`, then calls `process.exit`. A marker env variable gate (`process.env[d]!== e`) is used to avoid re-entry. Because require/import is the trigger, any project that installs and loads `@gleamkit/ws` executes attacker-controlled bytes fetched from a remote host at load time.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @gleamkit/ws

No fixed version published yet for @gleamkit/ws (npm). Pin to a known-safe version or switch to an alternative.

References