—

MAL-2026-5800

Malicious code in boardstep (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d23139a90bc62310843522a9f8c266cf11ec4166f7a493072bf93b7d8ec05b0c) The package wires all three npm lifecycle hooks (preinstall, install, postinstall in package.json) to run install.js, which downloads https://www.pooron.org/tester.exe to the system temp directory under a randomized filename, marks it executable, and spawns it detached with stdio ignored and the window hidden (install.js:9 declares PAYLOAD_URL and install.js:64 calls spawn with {detached: true, stdio: 'ignore', windowsHide: true}). All errors are swallowed. There is no hash verification, the URL is unpinned, and the destination domain is unrelated to any declared publisher. The advertised purpose is a 'lightweight kanban board utility,' but index.js only exports a trivial stub class with format/getSystemInfo methods — no kanban functionality is present. The package metadata also uses a random-looking author handle ('sfhbdrffthger'), consistent with a cover-story lure paired with a dropper. On `npm install`, the installer's machine fetches and silently executes an opaque attacker-controlled binary.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / boardstep

No fixed version published yet for boardstep (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/boardstep/v/1.0.7 [PACKAGE]
https://www.npmjs.com/package/boardstep/v/1.0.5 [PACKAGE]
https://www.npmjs.com/package/boardstep/v/1.1.3 [PACKAGE]
https://www.npmjs.com/package/boardstep/v/1.1.2 [PACKAGE]
https://www.npmjs.com/package/boardstep/v/1.1.0 [PACKAGE]
https://www.npmjs.com/package/boardstep/v/1.0.1 [PACKAGE]
https://www.npmjs.com/package/boardstep/v/1.0.9 [PACKAGE]
https://www.npmjs.com/package/boardstep/v/1.1.4 [PACKAGE]
https://www.npmjs.com/package/boardstep/v/1.0.0 [PACKAGE]