VDB
KO

MAL-2026-5579

Malicious code in webpack-cache-cycle (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (82fa37e2478a7109e376e3a062ccb203806511033930eb7390e45fe7ef404b81) On `npm install`, package.json's `postinstall` hook runs `node -e "require('./loader.js')"`. loader.js spawns a detached node process that decodes a hex-encoded URL (https://jsonkeeper.com/b/L435A — an anonymous, mutable paste host), performs an HTTPS GET, writes the response's `session` field to a temporary.js file, and `require()`s it — executing attacker-controlled JavaScript on the installer's machine. The URL is obfuscated as a hex literal padded with whitespace inside `Buffer.from(...)` to evade naive string scanners. The detached spawn lets `npm install` exit cleanly while the dropper continues asynchronously. The package's advertised purpose is a webpack cache plugin, which does not justify any network access at install time. The package name `webpack-cache-cycle` and README title `webpack-cache-plugin` impersonate legitimate webpack tooling, with placeholder author metadata (`Webpack Tools`) and a non-existent GitHub repository.

## Source: ghsa-malware (1a7e46df199f0d8dbede5404aab0ad253bb78bce77001d4b875d116806d9839d) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / webpack-cache-cycle
Introduced in: 0

No fixed version published yet for webpack-cache-cycle (npm). Pin to a known-safe version or switch to an alternative.

References