Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in my-empty-package (npm)

my-empty-package

Risk score

92

AI summary

Indexed incident for my-empty-package (npm).

Description

package.json declares postinstall: node index.js. On npm install, index.js branches on os.platform() and executes platform-specific shell commands: osascript on macOS, powershell -WindowStyle Hidden -EncodedCommand <base64-UTF16LE> on Windows, and python3 -c 'os.system(...)' on Linux. After the payload runs, a cleanup step renames a shipped package.md over package.json and unlinks index.js itself, removing the install-time script from disk and presenting a different manifest to any post-install inspection. The hidden-window base64-encoded PowerShell invocation is a standard malware evasion technique. Manifest swap + entrypoint self-deletion is anti-forensic behavior with no legitimate purpose. Even though the current payload body is a benign demonstration (opens the calculator), the delivery framework is a fully-functional install-time RCE dropper skeleton: any content placed in the platform branches would execute automatically on install with the user's privileges and then erase its own traces.

Technical details

Affected versions

=1.0.0

Indicators

  • affected version=1.0.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents