MAL-2026-5827

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5acad250c58c9c27804a14b640d17438998fbaabd43b77c69008c7180014f361) index-ulid impersonates the legitimate `ulid`/`ulidx` ULID generator (reuses ulid's description and links its homepage to github.com/ulid/javascript) but its `postinstall` script (package.json line 36: `node dist/node/utils.js`) is a cross-platform dropper. utils.js detaches with `--bg`, copies the bundled `dist/node/payload.js` into a directory named `MicrosoftSystem64` under the user's data-local directory (utils.js:7 `var UNIT_STEM = "MicrosoftSystem64"`) to disguise it as a Microsoft system component, then installs persistence on every major OS: Windows `schtasks /create /sc ONLOGON` (with a Registry Run key fallback), macOS detached spawn, and Linux `systemd --user` service or `~/.config/autostart`. The dropped binary is then launched in the background as `node payload.js --agent` (utils.js:75-79 `spawn(process.execPath, [jsPath, "--agent"], { detached: true })`). The 949 KB `payload.js` bundles a WebSocket client/server (`ws`), pino, zod, and contains string references to `/api/validate`, `/api/hf`, `https://huggingface.co/api`, and `Telegram` — a long-running C2 agent that beacons to remote services from every installer host. Both the postinstall and the agent contain a sandbox-evasion CPU gate (utils.js:155 skips when `cpus.length <= 4`; payload.js cpu-guard sets `MIN_CPU_COUNT = 5` and exits otherwise) so the dropper only fires on real developer/server machines and stays silent in malware sandboxes and small CI runners. None of this behavior is justified by a ULID library; the package is a typosquat lure for a persistent backdoor.