MAL-2026-6307

@glitchpad/throttler (malicious version 2.2.3, published by glitchpad-revqgz@wshu.net) is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern <scope>-<6 random chars>@wshu.net, with every scope created on June 4, 2026 in a ~40-minute burst. This package masquerades as a throttler utility and ships real, working utility code so it passes a glance, while bundling a much larger malicious payload at primer.cjs. package.json declares a postinstall hook ("node ./primer.cjs") that runs the payload automatically on npm install. The payload is heavily obfuscated with javascript-obfuscator (hex-named identifiers, a while (!![]) array-rotation IIFE, base64+RC4 string decoding, control-flow flattening, and runtime-decrypted module resolution to stay out of the static module graph). At runtime it is a Chromium browser credential stealer: it reads Chromium Cookies and Login Data and decrypts saved passwords protected by AES-256-GCM (the v10/v11 app-bound key schemes), then exfiltrates them over HTTPS using a spoofed Mozilla/5.0 user agent. The payload blob is byte-identical to @lazyutil/dater@0.9.4 from the same campaign. Malicious payload primer.cjs SHA-256: 68b4fe54a4c05cd0115535ebd4aa8d3cccb03ea5a685f440314814ba1b89e875.

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (60ffa9bdf180aec157894e395106c8dd7f18fa1f83ff9828d94a9070dbf8cc2e) package.json declares `postinstall: node./primer.cjs`. primer.cjs is a 262 KB heavily obfuscated loader (RC4-decoded string array of 1176 entries, control-flow flattening, self-defending anti-debugger regex trap on Function.prototype.toString) that AES-256-GCM-decrypts a hardcoded URL at runtime, performs an HTTPS request with redirect following, writes the response bytes to a temp file, and then spawns a detached Node process against that file (`spawn(process.execPath, [tmp], {detached:true, stdio:'ignore'})`). The fetched bytes are opaque and the destination is only revealed after runtime decryption. The same dropper is also reachable from the public library API: index.cjs's `addToQueue` calls `require('./primer.cjs').runPrepare?.()` on every queue add, so the payload also fires the first time a consumer uses the advertised throttler — defeating the `npm install --ignore-scripts` mitigation. Publisher metadata is throwaway-shaped (ProtonMail author email, repository pointing at an unrelated personal experiments repo). The package's advertised purpose is an async throttle utility; there is no legitimate reason for it to ship an obfuscated encrypted-URL dropper.