MAL-2026-10738
Malicious code in mui-option (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (8e1c3ec117eaeedbd4c3f64c2fec97d44e115d400c7e52082b7d6cc28f7c59ec) The sole shipped file index.js is heavily obfuscated with a base64+RC4 string-array decoder that hides all module names, URLs, and method identifiers. On import (main entrypoint), it requires child_process, os, fs, path, crypto and https, issues an https.get to a runtime-decoded URL, splits the response on ':' into an IV and ciphertext, derives a key with crypto.scryptSync, decrypts the payload with crypto.createDecipheriv, writes the decrypted bytes to a file under os.tmpdir(), and executes that file via child_process.exec. The package has no legitimate advertised functionality, its name resembles the MUI ecosystem, and no other code path exists. Any project that requires mui-option triggers execution of attacker-controlled native code on the installer host. The tarball also ships npm_recovery_codes.txt containing five 64-character hex strings matching the format of npm 2FA recovery codes, suggesting a publishing-account compromise.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for mui-option (npm). Pin to a known-safe version or switch to an alternative.