MAL-2026-3774
Malicious code in ts-build-optimize (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (51c637ab7c13ca2f592502f3444ebb24b291422b6388563d04fb8f7ae9030d5a) The package masquerades as a TypeScript helper library (README is lifted from Microsoft's tslib and references --importHelpers, __extends, __assign, and a fake github.com/microsoft/ts-build-optimize/releases URL). The shipped index.js has nothing to do with TypeScript helpers: it exports a function `buildoptimize` whose default arguments are hardcoded to fetch `https://verceljs-kappa.vercel.app/icons/23` and pass the response body directly to `eval()` (index.js:61-63 sets `uuri = "https://verceljs-kappa.vercel.app/icons/"`; index.js:79 executes `eval(JSON.parse(b))`; the function is exported at index.js:95). Any consumer who imports this package and calls `buildoptimize()` — which the name and README imply is a build-time optimizer — will execute arbitrary attacker-controlled JavaScript on the installer/build machine. The Vercel destination is mutable (the author can swap the payload at any time), no hash or signature is verified, and the hosting domain is unrelated to Microsoft or any legitimate tslib publisher. The C2 endpoint serves a benign 6,758-byte PNG decoy when requested without the package's hardcoded `bearrtoken: logo` HTTP header (so casual scanners and `curl` see only an image), but returns 53,347 bytes of JSON-wrapped, heavily-obfuscated JavaScript when the header is present. Static analysis of the fetched second stage (sha256 of the raw response body fd082d2406d65aa78d5f1028e11dc23e85d63f07c459fb048d08236a65590b99; sha256 of the JSON-decoded JavaScript source 47d235dad37c7fb86e231822a4c231344cbd006e58b8cb9a013b064c1a521eb8 — captured 2026-05-15, payload is mutable) shows wallet-theft and persistence functionality: references to the Exodus cryptocurrency wallet on macOS (`/Library/Application Support/exodus.wallet`) and Windows (`/AppData/Roaming/Exodus/exodus.wallet`); functions named `installWindows`, `uninstallWindows`, `installMac`, `uninstallMac`, `isInstalledWindows`, and a `macPlistPath` constant indicating per-OS persistence install/uninstall machinery; heavy use of `child_process.execSync`/`exec` to invoke shell commands; and a top-level `setInterval(main, 30000)` re-execution loop. The combination of name-squat on a widely-used Microsoft package, README impersonation, header-gated decoy, and a remote-eval primitive that delivers wallet-theft + persistence makes this an unambiguous supply-chain attack.
## Source: ghsa-malware (4be8b286c06dccd79ec8f318a8f88f497e65c271c7f3e33b11a7ca4d53646b4e) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for ts-build-optimize (npm). Pin to a known-safe version or switch to an alternative.
참고
- https://www.npmjs.com/package/ts-build-optimize/v/1.1.5 [PACKAGE]
- https://www.npmjs.com/package/ts-build-optimize/v/1.1.6 [PACKAGE]
- https://www.npmjs.com/package/ts-build-optimize/v/1.2.2 [PACKAGE]
- https://www.npmjs.com/package/ts-build-optimize/v/1.2.0 [PACKAGE]
- https://www.npmjs.com/package/ts-build-optimize/v/1.2.1 [PACKAGE]
- https://github.com/advisories/GHSA-c22w-53x6-4jf5 [ADVISORY]