Supply-chain threat intelligence
Risk score
92
Indexed incident for nordpass (npm).
Package name impersonates the NordPass password-manager product while presenting itself as 'A simple authentication module.' The package.json postinstall runs make -C src && cp src/auth_module./bin/flare && node src/install.js. src/install.js is a ~100 KB heavily obfuscated file (obfuscator.io-style string-array decoder with rotation, unicode-escaped identifiers, XOR-numeric literals) that reads /etc/passwd, derives XOR key material from that content combined with hardcoded byte constants, base64-decodes an embedded payload, XOR-decrypts it, and passes the resulting string to eval(). The decode-and-exec path is guarded by anti-analysis checks: a NODE_OPTIONS --inspect check, a Date.now() timing gate, and an OG_-prefixed environment-variable kill switch. A compiled auth_module binary is also staged to ./bin/flare during postinstall. The combination — brand impersonation, obfuscation, host-file read used as key material, base64+XOR+eval of an embedded blob, anti-debug and kill-switch guards, and a staged native binary — executes attacker-controlled code on the installer's machine at npm install time.
The OpenSSF Package Analysis project identified 'nordpass' @ 1.0.2 (npm) as malicious.
It is considered malicious because:
Affected versions
Indicators
Timeline