Supply-chain threat intelligence

Incident detail

criticalnpm·typosquatting·osv

Malicious code in ulid-xyz (npm)

ulid-xyz

Risk score

92

AI summary

Indexed incident for ulid-xyz (npm).

Description

ulid-xyz is a typosquat of the popular ulid library (sortable unique IDs) and is a cross-platform Remote Access Trojan delivered via a postinstall hook. The package.json postinstall superficially looks like an inline node -e guard that checks for the existence of a dist file, but it actually launches dist/node/utils.js as a detached background process, which in turn runs dist/node/payload.js -- a 467 KB bundled RAT. payload.js decodes XOR+base64-obfuscated configuration (_CFG.WS / _CFG.HTTP) to beacon to a hardcoded attacker-controlled C2 over WebSocket at ws://95.216.232.162:8010/ (with an HTTP fallback at http://95.216.232.162:8010/), establishing a WebSocket RAT channel. It installs persistence on all three major operating systems under the stem MicrosoftSystem64: on Windows under %LOCALAPPDATA%\MicrosoftSystem64; on macOS under ~/Library/Application Support/MicrosoftSystem64 plus a LaunchAgent at ~/Library/LaunchAgents/com.launchkeeper.MicrosoftSystem64.plist; and on Linux under ~/.local/share/MicrosoftSystem64. The install-time detached spawn (process management capability) and the ~8x package size spike (64 KB to 536 KB) correspond to the bundled RAT payload -- behavior a ULID library has no legitimate need for. All versions of ulid-xyz were published by the same actor (iloiyxo643 / iloiyxo643@ufiwi.space, a disposable email address) and are considered malicious.


-= Per source details. Do not edit below this line.=-

Package publishes as 'ulid-xyz' — a name edit away from the established 'ulidx' / 'ulid' libraries — and its README instructs users to npm install index-ulid and import { ulid } from "index-ulid", pointing at a second confusable name maintained by the same author. The declared homepage links to the canonical ulid repository (github.com/ulid/javascript), reinforcing the impersonation. package.json declares scripts.postinstall that runs node dist/node/utils.js after a required-files guard, but dist/node/utils.js is absent from this tarball — only dist/node/index.cjs and dist/node/index.js ship. As published, the guard throws and the postinstall is inert, so no malicious code executes on install in this version. The wired-but-missing lifecycle target combined with the confusable name and a bloated runtime dependency list (pino, ws, zod, esbuild, tsup, ts-node, typescript, @types/node, @types/ws, and a meta postinstall package — none required for ULID generation, where the legitimate ulidx ships zero runtime deps) is consistent with a dormant-dropper staging pattern: ship a benign tarball under a confusable name, then publish a future version that fills in the postinstall target. No exfiltration, no install-time RCE, and no silent-relay are present in the current code, so a public block would overclaim the present-version harm. Routing to human review for confusion-risk assessment and so a reviewer can monitor future versions of this name.

Technical details

Affected versions

=3.2.3=3.2.4=3.1.0=2.12.1=3.2.2=3.2.1>=0

Indicators

  • affected version=3.2.375%
  • affected version=3.2.475%
  • affected version=3.1.075%
  • affected version=2.12.175%
  • affected version=3.2.275%
  • affected version=3.2.175%
  • affected version>=075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents