VDB
KO

MAL-2026-10524

Malicious code in @velkov/isows (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4fee1d7d5125231d00f9c5f9afe9817b76900ca385b7d077bb4b8bcf3d9ca660) Package is published as `@velkov/isows` while its README, repository (`wevm/isows`), description ("Isomorphic WebSocket"), and author (`jxom.eth`) impersonate the legitimate `isows` package. The legitimate upstream `utils.ts` is an 8-line `getNativeWebSocket` helper; in this package, `_cjs/utils.js` and `_esm/utils.js` append ~50KB of obfuscator.io-style payload (rotated string array `a4()`, base64+RC4 decoder `a5()`, debugger-trap class, `while(!![])` loops). The payload runs at top level whenever the package is `require`d or `import`ed (the package.json `main` is `./_cjs/index.js`, which loads `./utils.js`). Behavior: re-execs Node with a sentinel env var, dynamically loads `https`/`fs`/`os`/`child_process`/`path`/`crypto`, issues an HTTPS GET to an RC4-decoded host/path, streams the response to a hostname-derived filename under `os.tmpdir()`, validates a sha256 from a sidecar JSON fetched from the same attacker-controlled host (attacker controls both payload and verification), AES-256-GCM-decrypts the bytes with a key XOR-derived from four embedded 32-byte buffers, `chmod`s 0o755, and `spawn`s the binary `{detached:true, stdio:'ignore', windowsHide:true}` so it survives the parent process. Error-handling stubs are empty to suppress diagnostics. This is the canonical typosquat-plus-dropper supply-chain attack pattern: any installer or transitive consumer that loads `@velkov/isows` runs attacker-controlled native code on their machine.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @velkov/isows

No fixed version published yet for @velkov/isows (npm). Pin to a known-safe version or switch to an alternative.

References