Supply-chain threat intelligence

Incident detail

criticalnpm·obfuscation·osv

Malicious code in electron-orbit (npm)

electron-orbit

Risk score

92

AI summary

Indexed incident for electron-orbit (npm).

Description

On require('electron-orbit'), the module unconditionally fires an auto-prefetch pipeline in Node contexts (when no document is present) that opens a raw node:net socket to electronorbit.blob.core.windows.net:443 and speaks a hand-written TLS 1.3 stack (custom ClientHello, HKDF key schedule, AES-128-GCM in aetherls.ts) rather than using https, bypassing standard TLS interception and static inspection. Every network-related string — the Azure hostname components, node:net, connect, ALPN http/1.1, HTTP request line, marker filename, and process.env enumeration keys — is XOR-obfuscated through a helper __s(key, arr). The postinstall script install.js writes an install marker to os.tmpdir()/electron_orbit_install_marker.txt containing process.env entries whose keys match path (PATH-family variables) plus process.cwd(), and separately stages os.hostname(), os.userInfo().username, process.version, platform and arch into a decoy file under bin/formatters/ prefixed with a fake native-binary magic byte. On require, index.ts reads the tmpdir marker, XORs it with the string electron-orbit, hex-encodes it, and appends the result as a query-string suffix to the Azure blob URL, so the storage account's HTTP request logs capture the installer's PATH-family environment and working directory. Activation is gated: the destination host is only populated when the SHA-256 of process.env.BuildType is a substring of a hardcoded 64-hex constant (0ceaa396…8295); otherwise the source is set to %TEMP% and the request fails to resolve, keeping the payload dormant on non-targeted installers and firing only when a specific env var is set (e.g., in a chosen CI environment). The advertised purpose (Electron-style runtime discovery) has no relationship to icon fetching or SVG rendering; the icon surface is a pretext — getRegisteredIcon returns a hardcoded empty <svg> regardless of the network response.

Technical details

Affected versions

=1.0.21=1.0.11=1.0.14=1.0.4=1.0.22=1.0.23=1.0.13=1.0.20=1.0.26=1.0.10=1.0.15=1.0.12=1.0.3=1.0.33=1.0.34=1.0.36=1.0.28=1.0.27=1.0.29=1.0.30=1.0.25=1.0.7=1.0.16=1.0.5=1.0.9=1.0.8=1.0.6=1.0.24=1.0.32=1.0.18=1.0.31

Indicators

  • affected version=1.0.2175%
  • affected version=1.0.1175%
  • affected version=1.0.1475%
  • affected version=1.0.475%
  • affected version=1.0.2275%
  • affected version=1.0.2375%
  • affected version=1.0.1375%
  • affected version=1.0.2075%
  • affected version=1.0.2675%
  • affected version=1.0.1075%
  • affected version=1.0.1575%
  • affected version=1.0.1275%
  • affected version=1.0.375%
  • affected version=1.0.3375%
  • affected version=1.0.3475%
  • affected version=1.0.3675%
  • affected version=1.0.2875%
  • affected version=1.0.2775%
  • affected version=1.0.2975%
  • affected version=1.0.3075%
  • affected version=1.0.2575%
  • affected version=1.0.775%
  • affected version=1.0.1675%
  • affected version=1.0.575%
  • affected version=1.0.975%
  • affected version=1.0.875%
  • affected version=1.0.675%
  • affected version=1.0.2475%
  • affected version=1.0.3275%
  • affected version=1.0.1875%
  • affected version=1.0.3175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents