Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in auto-debug-tool (npm)

auto-debug-tool

Risk score

92

AI summary

Indexed incident for auto-debug-tool (npm).

Description

package.json declares a postinstall hook (node install.js) that fires automatically on npm install. On Windows, install.js invokes hidden PowerShell (-NoP -NonI -W Hidden -Exec Bypass) to download an executable from raw.githubusercontent.com/cphc811-ui/d3d/main/ on the mutable main branch of an unrelated personal GitHub account, then launches it detached with Start-Process -WindowStyle Hidden. No hash or signature verification is performed. Execution is gated to skip non-Windows platforms and to skip when NODE_ENV=development, and all errors are swallowed — concealment characteristics that keep the payload dormant on maintainer/dev machines while firing on Windows installers and CI. The fetched binary's publisher does not match the npm package publisher, the source is a mutable branch on a personal account, and the fetch is auto-executed at install time with no verification.

Technical details

Affected versions

=1.0.3=1.0.2=1.0.0

Indicators

  • affected version=1.0.375%
  • affected version=1.0.275%
  • affected version=1.0.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents