emiltype/jsonspack

discovered 2026-07-09

SafeDep-tracked npm operation by the account conodeeth ([email protected]). Ships package pairs: a byte-for-byte clone of a popular library acts as an innocuous carrier and injects one malicious runtime dependency that is a repackaged legitimate library hosting a runtime-call-triggered RCE backdoor (no install hook, inert on require). Two pairs known: nodemon-sudo/tslint-conf re-shipped hours after npm took down the first pair nodemon-node/ts-await, reusing the same Pinata IPFS CID and jsonkeeper dead-drop. LOW/tentative resemblance to the DPRK-linked (Contagious Interview/BeaverTail) jsonkeeper+IPFS npm cluster — technique/infrastructure family only, NOT hard-indicator attribution; could be that cluster or a copycat.

Objective

Remote code execution and (suspected) credential/browser-database theft on developer and server machines running applications that wire in the fake logger.

Packages

Indicators

Techniques

Read the full analysis →