Malicious code in mailconfirmer (npm)
MAL-2026-5750
Published ยท Modified
Description
__
Source: amazon-inspector (fbadb3bfdda7f6b7d425f83f9d5007a59d92c19c75fee43181a471a5627fac7f)
The package advertises itself as an email confirmation/verification utility, but the shipped code contains no such functionality โ index.js exports only a single getThemeColor function returning a color string. The real behavior is in install-hook.js, executed via the postinstall lifecycle script. It writes a.git/hooks/post-checkout hook into the installer's local repository whose contents are powershell -NoP -NonI -W Hidden -Enc <base64>. The base64 blob decodes to UTF-16LE PowerShell that downloads https://github.com/Dimitrijenco/Sticky_note/releases/download/v2/launcher.bin, XOR-decrypts the response with key 0x42, writes the result to %TEMP%\tmp.exe, executes it hidden via Start-Process -WindowStyle Hidden, sleeps, and deletes it. The dropper URL is hosted on an unrelated third-party GitHub account whose repository name (Sticky_note) is unrelated to the package's stated purpose. Two layers of obfuscation (base64-encoded UTF-16LE PowerShell + XOR-encrypted payload) are used to hide both the destination and the executed bytes. The persistence mechanism โ a git post-checkout hook โ re-triggers the download-and-execute path on every future git checkout in any repository where the package was installed, surviving package uninstall.
References
- PACKAGE https://www.npmjs.com/package/mailconfirmer/v/3.2.36
- PACKAGE https://www.npmjs.com/package/mailconfirmer/v/3.3.11
- PACKAGE https://www.npmjs.com/package/mailconfirmer/v/3.3.12
- PACKAGE https://www.npmjs.com/package/mailconfirmer/v/3.2.34
- PACKAGE https://www.npmjs.com/package/mailconfirmer/v/3.2.38
- PACKAGE https://www.npmjs.com/package/mailconfirmer/v/3.2.35
- PACKAGE https://www.npmjs.com/package/mailconfirmer/v/3.3.13
Ready to move
Start Securing
Free, no credit card | First findings in minutes