VDB
EN

MAL-2026-10743

Malicious code in nordpass (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9df6f21fababcd99ba522d380a0729d35aa4ff44ee2f6612fe75b906da844aee) Package name impersonates the NordPass password-manager product while presenting itself as 'A simple authentication module.' The package.json postinstall runs `make -C src && cp src/auth_module./bin/flare && node src/install.js`. src/install.js is a ~100 KB heavily obfuscated file (obfuscator.io-style string-array decoder with rotation, unicode-escaped identifiers, XOR-numeric literals) that reads /etc/passwd, derives XOR key material from that content combined with hardcoded byte constants, base64-decodes an embedded payload, XOR-decrypts it, and passes the resulting string to eval(). The decode-and-exec path is guarded by anti-analysis checks: a NODE_OPTIONS `--inspect` check, a Date.now() timing gate, and an `OG_`-prefixed environment-variable kill switch. A compiled `auth_module` binary is also staged to `./bin/flare` during postinstall. The combination — brand impersonation, obfuscation, host-file read used as key material, base64+XOR+eval of an embedded blob, anti-debug and kill-switch guards, and a staged native binary — executes attacker-controlled code on the installer's machine at `npm install` time.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / nordpass

No fixed version published yet for nordpass (npm). Pin to a known-safe version or switch to an alternative.

참고