VDB
EN

MAL-2026-10502

Malicious code in gamified-trading-system (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f24facab67c0c7bd4775a6081ee54f4fab3fa7a5dd93b52a87f1111088e5e501) The package advertises itself as a trading-gamification library (XP, leaderboards, updateProgress/getLeaderboard) but its source contains none of those APIs. The only meaningful exports are `setDefaultModule` and `getPlugin`. `getPlugin` assembles the URL `https://svganchordev.net/icons/116` from split string fragments (`protocol`/`domain`/`separator`/`path`/`token`), fetches it with a fake `bearrtoken: 'logo'` header, and passes the response's `data.credits` field to `new Function('require','module','exports',...,'Promise', data.credits)` invoked with `require`, `process`, `Buffer`, and other host globals. This is a remote loader: whoever controls the attacker endpoint controls arbitrary code executed in the installer's Node process with full module privileges. A second function `setDefaultModule` fetches font-awesome SVGs from cdnjs as a decoy to camouflage the active loader. Declared runtime dependencies (`@primno/dpapi`, `better-sqlite3`, `node-machine-id`) line up with Windows DPAPI credential-decryption / machine-fingerprinting payloads commonly delivered by this loader shape. The package also ships an ed25519 OpenSSH private key (`gitlab`, comment `testm@DESKTOP-PO28IS1`), corroborating sloppy/hostile provenance.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / gamified-trading-system

No fixed version published yet for gamified-trading-system (npm). Pin to a known-safe version or switch to an alternative.

참고