VDB
KO

MAL-2026-10442

Malicious code in @oliviamcdaniel12/safer-buffer (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (55129478b44191f3a4bb3308036567d5e2eb1a73084511b424917b6b5f7bf50f) Package impersonates the popular `safer-buffer` module. On require(), `safer.js` reads a PID from `Porting-Buffer.md` and, if that process is not alive, spawns `node tests/safer-buffer.min.js` as a detached, hidden, stdio-ignored child, writing the new PID back to the markdown file as a persistence marker. The spawned `tests/safer-buffer.min.js` is a heavily obfuscated (obfuscator.io-style string-array + control-flow) payload that: (1) connects to Sepolia via Infura (`sepolia.infura.io/v3/dc7257d09fab42eca2c354c32fec1938`) and Alchemy (`eth-sepolia.g.alchemy.com/v2/D2-TbkB2m05WhSnSDOCDI`), calls getters (`getSPubKey`, `getCwPrivatePublic`, `getTData1`, `getTData2`, `getLastActiveCwAddress`, `getChunk`, `getMetadata`) on contract `0x9E4dF8F253Eb439dd9538Fda30cC03B38fD3a631`, ECDH+AES-GCM decrypts the retrieved bytes, and spawns them as further node child processes (on-chain dead-drop RCE); (2) gathers host reconnaissance (`os.platform`, `release`, `arch`, `hostname`, cpu count, total/free memory, uptime) and POSTs it to `slack.com/api/chat.postMessage` (channel `C0ATC9UKKA4`) with an embedded `xoxb-...` bot token, and to `api.telegram.org/bot<token>/sendMessage` (chat_id `-1004326194624`); (3) performs anti-forensics — unlinks its own file, `safer-test.min.js`, `safer.min.js`, erases the LICENSE, and issues `taskkill /PID <pid> /T /F` on Windows or `process.kill(pid, 'SIGTERM')` on POSIX against the prior stored PID, then `process.exit(1)`. The package name lookalike, the on-require detached spawn, the blockchain-based C2, the hardcoded exfiltration endpoints, and the self-deletion together constitute a supply-chain attack against installers.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @oliviamcdaniel12/safer-buffer

No fixed version published yet for @oliviamcdaniel12/safer-buffer (npm). Pin to a known-safe version or switch to an alternative.

References