MAL-2026-6305

@frostnode/waitfor (malicious versions 0.9.0, 0.10.3, 0.10.4, and 0.10.5, published by frostnode-gk8pbf@wshu.net) is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern <scope>-<6 random chars>@wshu.net, with every scope created on June 4, 2026 in a ~40-minute burst. This package masquerades as a wait/delay utility and ships real, working utility code so it passes a glance, while bundling a much larger malicious payload (lib/tickinit.js in the earliest variant, dist/cjs/tickinit.cjs thereafter). package.json declares a postinstall hook (e.g. "node ./dist/cjs/tickinit.cjs") that runs the payload automatically on npm install. The payload is heavily obfuscated with javascript-obfuscator (hex-named identifiers, a while (!![]) array-rotation IIFE, base64+RC4 string decoding, control-flow flattening, and runtime-decrypted module resolution to stay out of the static module graph). At runtime it is a Chromium browser credential stealer: it reads Chromium Cookies and Login Data and decrypts saved passwords protected by AES-256-GCM (the v10/v11 app-bound key schemes), then exfiltrates them over HTTPS using a spoofed Mozilla/5.0 user agent. Consistent with the campaign, the dangerous versions sit in mid-ranges while the latest tag (0.10.6) points to a scrubbed release with an empty scripts block. Malicious payload dist/cjs/tickinit.cjs (0.10.5) SHA-256: 2de602e6422a991346aaf0b74ed6bd525215f5177b9f7f267ccb4d82e919273d.

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d0e3751015a32bcdd6a8f1f7e864c65992d1d2aa781b6e2a043cd28767549641) No concrete installer-harm indicators were identified in this version of @frostnode/waitfor. No lifecycle hooks, network destinations, credential-access patterns, or other supply-chain attack fingerprints were surfaced. Coverage of the package contents was partial, so a human reviewer should confirm there is no install-time or import-time behavior of concern before this is treated as cleared.