Supply-chain threat intelligence

Incident detail

criticalnpm·obfuscation·osv

Malicious code in nordpass (npm)

nordpass

Risk score

92

AI summary

Indexed incident for nordpass (npm).

Description

Package name impersonates the NordPass password-manager product while presenting itself as 'A simple authentication module.' The package.json postinstall runs make -C src && cp src/auth_module./bin/flare && node src/install.js. src/install.js is a ~100 KB heavily obfuscated file (obfuscator.io-style string-array decoder with rotation, unicode-escaped identifiers, XOR-numeric literals) that reads /etc/passwd, derives XOR key material from that content combined with hardcoded byte constants, base64-decodes an embedded payload, XOR-decrypts it, and passes the resulting string to eval(). The decode-and-exec path is guarded by anti-analysis checks: a NODE_OPTIONS --inspect check, a Date.now() timing gate, and an OG_-prefixed environment-variable kill switch. A compiled auth_module binary is also staged to ./bin/flare during postinstall. The combination — brand impersonation, obfuscation, host-file read used as key material, base64+XOR+eval of an embedded blob, anti-debug and kill-switch guards, and a staged native binary — executes attacker-controlled code on the installer's machine at npm install time.

The OpenSSF Package Analysis project identified 'nordpass' @ 1.0.2 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.

Technical details

Affected versions

=1.0.0=1.0.2=1.0.4

Indicators

  • affected version=1.0.075%
  • affected version=1.0.275%
  • affected version=1.0.475%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents