malware
npm
@chunklab/hexparse
discovered 2026-06-23Campaign member. Versions 1.0.7 and 1.1.4-1.1.6 ship a ~277KB obfuscated payload (script/prelude.cjs; 1.0.7 used lib/prelude.js) auto-executed via postinstall 'node ./script/prelude.cjs' (1.0.7: 'node lib/prelude.js'). Latest 1.1.7 scrubbed to empty scripts. Same payload template as the root lineage.
Threat types
credential_stealer data_exfiltration persistence typosquat
Malicious versions
- 1.0.7
- 1.1.4
- 1.1.5
- 1.1.6 · 4f7310bd9888599c…