malware npm

@chunklab/hexparse

discovered 2026-06-23

Campaign member. Versions 1.0.7 and 1.1.4-1.1.6 ship a ~277KB obfuscated payload (script/prelude.cjs; 1.0.7 used lib/prelude.js) auto-executed via postinstall 'node ./script/prelude.cjs' (1.0.7: 'node lib/prelude.js'). Latest 1.1.7 scrubbed to empty scripts. Same payload template as the root lineage.

Threat types

credential_stealer data_exfiltration persistence typosquat

Malicious versions

  • 1.0.7
  • 1.1.4
  • 1.1.5
  • 1.1.6 · 4f7310bd9888599c…

Campaigns

Indicators

Techniques

Read the full analysis →