MAL-2026-5558
Malicious code in sensivity (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (ef8c17866ac1aee489e207f2a4cdb2eefbd17336edd0398b34c40ee5c69a8ef5) On require()/import (package main is launcher.js with no install hook), the package performs the following without consent: (1) Persistence — runs PowerShell to write an HKCU\Software\Microsoft\Windows\CurrentVersion\Run entry named 'OneDriveUpdate' that points at a bundled OneDrive.Standalone.Updater.vbs which silently launches `node launcher.js` on every login (WScript.Shell.Run with windowStyle=0). The name impersonates the Microsoft OneDrive updater. (2) Self-relaunching hidden daemon — kills any process listening on port 3000, then spawns a detached supervisor copy of itself (`detached: true, stdio: 'ignore', windowsHide: true`) which respawns a worker forever; the original process exits, leaving a hidden background daemon. (3) Process masquerade — both supervisor and worker set `process.title = 'Runtime Broker'` to impersonate the legitimate Windows RuntimeBroker.exe in Task Manager. (4) Browser surveillance — every 3 seconds, generates a PowerShell script that uses System.Windows.Automation to enumerate Edit controls in Chrome/Edge/Opera/Opera GX/Brave windows and reads their address-bar Value/Name (currently scanning for YouTube video id `wJWta2lO0Lw`, but the same code path reads any URL the user is visiting). (5) Obfuscated payload — launcher.js eval()s a 162KB obfuscator.io-style server.obf.js that uses RC4-decoded string arrays and dispatcher functions to hide its behavior from inspection. (6) HWID fingerprint exfiltration — the obfuscated payload computes SHA-256 over HKLM MachineGuid | hostname | volume serial and POSTs {key, hwid, nonce, app, version} to a hardcoded license endpoint embedded in the obfuscated strings. (7) Undisclosed native payload — bundles sens.node, a 6.6MB Windows PE containing strings 'Freecam', 'Teleport', 'spawnVehicle', 'Waypoint', '__licenseAccepted' — i.e., a GTA V / FiveM game cheat module — while package.json describes the package only as 'Sensivity Control Panel'. Any developer who installs `sensivity` from npm gets persistent hidden autorun, a masqueraded background daemon, browser-URL surveillance, hardware-fingerprint exfiltration, and a game-cheat binary on their Windows machine.
## Source: ghsa-malware (27c483fed5302fc3ab955cd00835c45cb62284beb4e394ce59e7eedf95a7c688) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 No fixed version published yet for sensivity (npm). Pin to a known-safe version or switch to an alternative.
References
- https://www.npmjs.com/package/sensivity/v/2.5.32 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.52 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.60 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.27 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.51 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.13 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.9 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.0 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.58 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.61 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.5 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.37 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.69 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.67 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.7 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.17 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.62 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.53 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.20 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.57 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.12 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.19 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.54 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.50 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.39 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.46 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.18 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.21 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.49 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.25 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.10 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.6 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.65 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.29 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.35 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.24 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.45 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.31 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.68 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.28 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.59 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.63 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.64 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.48 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.66 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.41 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.55 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.11 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.47 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.3 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.8 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.36 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.15 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.30 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.16 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.44 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.26 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.34 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.56 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.14 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.22 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.43 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.33 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.2 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.42 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.4 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.1 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.38 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.23 [PACKAGE]
- https://www.npmjs.com/package/sensivity/v/2.5.40 [PACKAGE]
- https://github.com/advisories/GHSA-f4f4-69p9-w9f9 [ADVISORY]