MAL-2026-7010
Malicious code in crypto-promiser (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (25594e7865a7525aebefd2f1fcc8060f144bf202b1986875e1cfd95564f66e88) crypto-promiser@1.0.1 is a typosquat of the legitimate crypto-promise package that ships a dropper in its lifecycle scripts. The declared postinstall runs prepinstall.js, which decodes a base64-hidden URL (aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1dEVDFI -> https://jsonkeeper.com/b/WDT1H) via atob, fetches JSON from that anonymous paste host with axios, and pipes the `.cache` field of the response into a detached `node` child process over stdin, executing attacker-controlled JavaScript on npm install. index.js also contains a top-level IIFE that dynamically imports./prepinstall.js, causing the same fetch-and-exec to fire when the package is require()d or imported. The package name is a single-character edit of crypto-promise and mirrors its API surface (hash, hmac, cipher, pbkdf2) as a lure. The remote payload host is anonymous and mutable, the destination is obfuscated behind base64, and executed bytes come from a non-registry third-party paste — arbitrary code execution on the installer machine at install time and at require time.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for crypto-promiser (npm). Pin to a known-safe version or switch to an alternative.