—

MAL-2026-6564

Malicious code in @thone33/core-utils (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (05561d1a31165dab72c5090437ccfa7a85035a2b4fdf6a646eca59b62dd87120) @thone33/core-utils 1.0.4 is a loader stub. Its main entry (index.js) imports `activate` from the same-author dependency `@thone33/analytics-injector` and invokes it at module top level whenever `process.env.NODE_ENV === 'production'`. The author's own inline comment describes this as silently activating a payload in production ('ATIVA O PAYLOAD SILENCIOSAMENTE (em produção)'). The package is advertised as 'Core utilities', which does not justify production-gated invocation of an 'analytics-injector' dependency. The NODE_ENV=production gate is a developer-laptop-dormant / production-fires evasion pattern: consumers' local dev and CI environments see nothing, while deployed production processes execute whatever code the author publishes under @thone33/analytics-injector. Because the injector is in the same author scope and pinned as `^1.0.0`, the author can ship arbitrary additional code into consumers' production runtimes via a minor/patch release without any change to this package.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @thone33/core-utils

Introduced in: 0

No fixed version published yet for @thone33/core-utils (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/@thone33/core-utils/v/1.0.4 [PACKAGE]
https://www.npmjs.com/package/@thone33/core-utils/v/1.0.0 [PACKAGE]
https://www.npmjs.com/package/@thone33/core-utils/v/1.0.3 [PACKAGE]
https://www.npmjs.com/package/@thone33/core-utils/v/1.0.1 [PACKAGE]
https://www.npmjs.com/package/@thone33/core-utils/v/1.0.5 [PACKAGE]
https://www.npmjs.com/package/@thone33/core-utils/v/1.0.2 [PACKAGE]