malware npm

@briskforge/envcheck

discovered 2026-06-23

Campaign member, masquerades as a tiny environment-variable validator (ships a genuine validator-backed envcheck() as decoy). Malicious versions 0.5.2-0.5.4 ship a 277356-byte obfuscated payload (lib/preflight.js) auto-executed via postinstall 'node lib/preflight.js'. DUAL TRIGGER like @petitcode/eb-retry: lib/index.js does require('./preflight') at require-time and envcheck() calls preflight.runPrepare() on first invocation, so the payload fires even with --ignore-scripts. The preflight.js wrapper self-documents this in a plaintext comment ('runs once per process from the library entry point, and once again as a standalone script during postinstall'). Latest 0.5.5 scrubbed to empty scripts. Publisher [email protected]; author [email protected] / github.com/briskforge. Created 2026-06-04T07:32:50Z.

Threat types

credential_stealer data_exfiltration persistence typosquat

Malicious versions

  • 0.5.2
  • 0.5.3
  • 0.5.4

Campaigns

Indicators

Techniques

Read the full analysis →