MAL-2026-6723
Malicious code in electron-orbit (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (7faf51a6c9d6ed9fce8cf9de9ea8afee0e9c3dc1fb254e8cd0c3c2a8ca61323f) On `require('electron-orbit')`, the module unconditionally fires an auto-prefetch pipeline in Node contexts (when no `document` is present) that opens a raw `node:net` socket to `electronorbit.blob.core.windows.net:443` and speaks a hand-written TLS 1.3 stack (custom ClientHello, HKDF key schedule, AES-128-GCM in aetherls.ts) rather than using `https`, bypassing standard TLS interception and static inspection. Every network-related string — the Azure hostname components, `node:net`, `connect`, ALPN `http/1.1`, HTTP request line, marker filename, and `process.env` enumeration keys — is XOR-obfuscated through a helper `__s(key, arr)`. The postinstall script `install.js` writes an install marker to `os.tmpdir()/electron_orbit_install_marker.txt` containing `process.env` entries whose keys match `path` (PATH-family variables) plus `process.cwd()`, and separately stages `os.hostname()`, `os.userInfo().username`, `process.version`, platform and arch into a decoy file under `bin/formatters/` prefixed with a fake native-binary magic byte. On `require`, index.ts reads the tmpdir marker, XORs it with the string `electron-orbit`, hex-encodes it, and appends the result as a query-string suffix to the Azure blob URL, so the storage account's HTTP request logs capture the installer's PATH-family environment and working directory. Activation is gated: the destination host is only populated when the SHA-256 of `process.env.BuildType` is a substring of a hardcoded 64-hex constant (`0ceaa396…8295`); otherwise the source is set to `%TEMP%` and the request fails to resolve, keeping the payload dormant on non-targeted installers and firing only when a specific env var is set (e.g., in a chosen CI environment). The advertised purpose (Electron-style runtime discovery) has no relationship to icon fetching or SVG rendering; the icon surface is a pretext — `getRegisteredIcon` returns a hardcoded empty `<svg>` regardless of the network response.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for electron-orbit (npm). Pin to a known-safe version or switch to an alternative.
References
- https://www.npmjs.com/package/electron-orbit/v/1.0.21 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.11 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.14 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.4 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.22 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.23 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.13 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.20 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.26 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.10 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.15 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.12 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.3 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.33 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.34 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.36 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.28 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.27 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.29 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.30 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.25 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.7 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.16 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.5 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.9 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.8 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.6 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.24 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.32 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.18 [PACKAGE]
- https://www.npmjs.com/package/electron-orbit/v/1.0.31 [PACKAGE]