Supply-chain threat intelligence

Incident detail

criticalnpm·maintainer compromise·osv

Malicious code in unique-id-64 (npm)

unique-id-64

Risk score

92

AI summary

Indexed incident for unique-id-64 (npm).

Description

Package impersonates the well-known sindresorhus/unique-string utility: package.json copies the author block (name 'Sindre Sorhus', email sindresorhus@hotmail.com, homepage sindresorhus.com), repository field 'sindresorhus/unique-string', and README verbatim, despite not being published by that author. The default export, when invoked as uniqueString(64), AES-256-CBC-decrypts a hardcoded ciphertext (key derived from sha256('256-key')) and hands the plaintext to globalThis.eval, with 'eval' reconstructed obfuscation-style by joining the first letters of ['error','vertex','alphabetic','length']. Before reaching the eval branch, the code consults node-env-detector and short-circuits to a warning log when env.isCI || env.isNpmBot || env.isContainer || env.isVirtualMachineLikely is true — a deliberate sandbox/CI evasion gate so the hidden payload only fires on real developer or production hosts. The combination of identity-spoofed metadata, encrypted eval'd payload, and analysis-evasion gating is an unambiguous supply-chain attack: the installer cannot see what code runs, and the package's stated purpose (generate a unique string) does not require eval, AES decryption, or CI detection.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Technical details

Affected versions

=1.0.0

Indicators

  • Advisory IDs
    90%
  • affected version=1.0.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents