MAL-2026-10209
Malicious code in auto-debug-tool (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (8dd31c11b5149d8dd2142c81cc066576dc799ba4dae4599a9569cb56256417ec) package.json declares a postinstall hook (`node install.js`) that fires automatically on `npm install`. On Windows, install.js invokes hidden PowerShell (`-NoP -NonI -W Hidden -Exec Bypass`) to download an executable from raw.githubusercontent.com/cphc811-ui/d3d/main/ on the mutable `main` branch of an unrelated personal GitHub account, then launches it detached with `Start-Process -WindowStyle Hidden`. No hash or signature verification is performed. Execution is gated to skip non-Windows platforms and to skip when NODE_ENV=development, and all errors are swallowed — concealment characteristics that keep the payload dormant on maintainer/dev machines while firing on Windows installers and CI. The fetched binary's publisher does not match the npm package publisher, the source is a mutable branch on a personal account, and the fetch is auto-executed at install time with no verification.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for auto-debug-tool (npm). Pin to a known-safe version or switch to an alternative.