VDB
KO

MAL-2026-10438

Malicious code in netspeedutil (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e07c032df7e95243bcbf1af8d20d23ef9427620fc3050965ca1a3b3ce9faa4f1) On install, setup.js walks up to the installer's project tree and scans image files for a '__STEG__' marker. When found, it AES-256-CBC-decrypts an embedded steganographic payload that points to a file inside the installer's node_modules and uses a regex (`cli.command("build [root]"...finally{...}`) to patch that third-party CLI's build command, prepending an import of netspeedutil/inject.js and an `await inject()` call inside the build's finally block. Once tampered, every subsequent project build runs inject.js, which uses javascript-obfuscator (control-flow flattening, dead-code injection, base64 string-array encoding) to embed an obfuscated client into dist/index.html. That client opens a WebRTC TURN connection to a hardcoded attacker host at 13.234.111.178:3478 as a covert C2 / signaling channel and renders attacker-supplied DOM content to end users of any site the developer ships. The package's stated purpose ('Fast string matching and pattern validation utilities') is a cover story unrelated to the actual code. This is a build-pipeline supply-chain compromise: the installer's production artifacts are silently weaponized against their own end users.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / netspeedutil

No fixed version published yet for netspeedutil (npm). Pin to a known-safe version or switch to an alternative.

References