MAL-2026-10438
Malicious code in netspeedutil (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (e07c032df7e95243bcbf1af8d20d23ef9427620fc3050965ca1a3b3ce9faa4f1) On install, setup.js walks up to the installer's project tree and scans image files for a '__STEG__' marker. When found, it AES-256-CBC-decrypts an embedded steganographic payload that points to a file inside the installer's node_modules and uses a regex (`cli.command("build [root]"...finally{...}`) to patch that third-party CLI's build command, prepending an import of netspeedutil/inject.js and an `await inject()` call inside the build's finally block. Once tampered, every subsequent project build runs inject.js, which uses javascript-obfuscator (control-flow flattening, dead-code injection, base64 string-array encoding) to embed an obfuscated client into dist/index.html. That client opens a WebRTC TURN connection to a hardcoded attacker host at 13.234.111.178:3478 as a covert C2 / signaling channel and renders attacker-supplied DOM content to end users of any site the developer ships. The package's stated purpose ('Fast string matching and pattern validation utilities') is a cover story unrelated to the actual code. This is a build-pipeline supply-chain compromise: the installer's production artifacts are silently weaponized against their own end users.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for netspeedutil (npm). Pin to a known-safe version or switch to an alternative.