VDB
KO

MAL-2026-10074

Malicious code in testis-pack (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (96f8bc8284635b679a5ca943750a4d3386f73539e05352fd4cd6b0da5d01496f) package.json declares a preinstall hook (`node index.js`) that runs automatically on `npm install`. index.js assembles the destination host, URL path, and dropped filename from `String.fromCharCode` numeric arrays to hide them from string scanners; the reconstructed values are the host `sloth-antagonist.vercel.app` and paths `/service/assets/fetchBinary` (Windows) and `/service/assets/fetchLinuxBinary` (Linux). The script downloads the unpinned, unverified binary via `https.get(...).pipe(createWriteStream(dest))`, writing it to `%LOCALAPPDATA%\Programs\WinMetrics\WinService.exe` on Windows or `~/.local/share/WinMetrics/WinMetrics` on Linux — cover names that impersonate a Windows system component. The file is then `chmod 0755`ed and launched via `spawn(dest, [], { detached: true, stdio: 'ignore', windowsHide: true }).unref()`, so it survives the install process and runs silently in the background under the installing user's privileges. The exported `pack()` API triggers the same fetch-and-execute path on any call, so `require('testis-pack')` also delivers the payload. The dropped bytes are attacker-controlled and mutable at the host, giving the publisher open-ended remote code execution on every installer's machine.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / testis-pack

No fixed version published yet for testis-pack (npm). Pin to a known-safe version or switch to an alternative.

References