VDB
KO

MAL-2026-10451

Malicious code in gifuct (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (965f65127a6b6d2a6865e91efe6a878ae1e076b9ef4de23152aef4ee6080038b) Package name typosquats the legitimate `gifuct-js` GIF parser and re-exports it as cover. On module load, code reconstructs the host `filament-zap.vercel.app` and paths `/service/assets/fetchBinary` / `/service/assets/fetchLinuxBinary` from String.fromCharCode numeric arrays, downloads a platform-specific executable, writes it to a `WinMetrics`/`WinService.exe` path under the user data directory, chmods it 0755 on Linux, and spawns it detached with stdio ignored and unref'd. The payload is fetched over an obfuscated, unpinned URL with no hash or signature verification, and the download-and-execute path is unrelated to the advertised GIF-parsing purpose.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / gifuct

No fixed version published yet for gifuct (npm). Pin to a known-safe version or switch to an alternative.

References