malware
npm
@frostnode/waitfor
discovered 2026-06-23Campaign member, masquerades as a predicate-based RxJS wait/poll operator (decoy code cloned from rxjs-poll). Malicious version 0.9.0 used postinstall 'node lib/tickinit.js'; versions 0.10.3-0.10.5 ship a 259358-byte obfuscated payload (dist/cjs/tickinit.cjs) auto-executed via postinstall 'node ./dist/cjs/tickinit.cjs'. Carries the campaign's dynamically-obscured require fingerprint with a different variable name: require(_0x2cb1b0['UGeLH']) (same technique as the canonical require(_0x45af03['GyrZN'])). Latest 0.10.6 scrubbed to empty scripts. Publisher [email protected]; author [email protected] / github.com/frostnode. Created 2026-06-04T08:05:01Z, extending the campaign seeding window to ~08:05 UTC.
Threat types
credential_stealer data_exfiltration persistence typosquat
Malicious versions
- 0.9.0
- 0.10.3
- 0.10.4
- 0.10.5