Supply-chain threat intelligence

Incident detail

criticalnpm·maintainer compromise·osv

Malicious code in redis-type-os (npm)

redis-type-os

Risk score

92

AI summary

Indexed incident for redis-type-os (npm).

Description

Package is published as redis-type-os but all in-package references (README, docs/, CHANGELOG, repository field, author email) point to redis-om / redis-om-node by Guy Royse. dist/index.js is the upstream redis-om bundle verbatim. The only meaningful divergence from upstream is an added runtime dependency hex-type@^3.0.2 declared in package.json, which is not imported anywhere in the shipped code. The package itself contains no exfiltration, dropper, install hook, or credential-handling code; the carrier ships legitimate redis-om functionality. The supply-chain concern is two-fold: (1) the package name (redis-type-os vs redis-om) plus impersonated author identity creates confusion for developers who mistype the real package, and (2) installing it silently pulls hex-type into the dependency closure for reasons unrelated to the advertised functionality. Whether hex-type itself is benign or malicious must be evaluated separately. Routed for human review because name-similarity and author-impersonation are subjective judgments and the carrier itself executes no harmful code at install or import time.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Technical details

Affected versions

=1.0.3=1.0.6=1.0.7=1.0.10>=0

Indicators

  • Advisory IDs
    90%
  • affected version=1.0.375%
  • affected version=1.0.675%
  • affected version=1.0.775%
  • affected version=1.0.1075%
  • affected version>=075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents