MAL-2026-10404
Malicious code in @ica-gaming/slot-engine (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (504d38d63d27d90e825007078cde3c381daa6cfa73a8009797c60f3e889c44d0) The package presents itself as a deterministic WASM slot-math engine, but slot_engine.wasm embeds obfuscated Node.js modules and Emscripten JS shim helpers that implement a full remote-access and credential-theft toolkit against the consumer host. On invocation, an embedded module opens a Node `require`/`createRequire` context, POSTs an installer-identifying id to a remote HTTPS endpoint on a jittered polling loop, and executes the returned code via `new Function(code)(require)` — giving the operator arbitrary code execution on every poll. WASM-imported helpers additionally: download a Windows `.exe` installer over HTTPS (following redirects) to a temp path and spawn it detached with the silent-install flag `/S`; fetch and extract a macOS `.pkg` via `xar -x`; and write `#!/bin/sh` + `exec node` polyglot wrapper scripts with mode 0755. Separate helpers enumerate Chromium-family and Firefox-family browser profile directories (Chrome, Brave, Edge, Opera, Vivaldi, Chromium, Firefox, Waterfox, LibreWolf, Pale Moon) for Login Data / logins.json / Cookies / Local Storage / IndexedDB / extension wallet stores, walk the home directory for wallet/keystore/.dat files, and read shell-history dotfiles, then package matching content for exfiltration through the C2 channel. The Emscripten shim and both embedded ES modules are obfuscator.io-transformed (rotated base64 string arrays, dispatchers, arithmetic-noise constants, self-defending IIFE); legitimate Emscripten output is not obfuscated. Cover strings such as 'Compiling engine dependencies. This may take a while on initial startup...' are embedded to disguise payload staging as normal engine initialization.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @ica-gaming/slot-engine (npm). Pin to a known-safe version or switch to an alternative.