malware npm

@frostnode/waitfor

discovered 2026-06-23

Campaign member, masquerades as a predicate-based RxJS wait/poll operator (decoy code cloned from rxjs-poll). Malicious version 0.9.0 used postinstall 'node lib/tickinit.js'; versions 0.10.3-0.10.5 ship a 259358-byte obfuscated payload (dist/cjs/tickinit.cjs) auto-executed via postinstall 'node ./dist/cjs/tickinit.cjs'. Carries the campaign's dynamically-obscured require fingerprint with a different variable name: require(_0x2cb1b0['UGeLH']) (same technique as the canonical require(_0x45af03['GyrZN'])). Latest 0.10.6 scrubbed to empty scripts. Publisher [email protected]; author [email protected] / github.com/frostnode. Created 2026-06-04T08:05:01Z, extending the campaign seeding window to ~08:05 UTC.

Threat types

credential_stealer data_exfiltration persistence typosquat

Malicious versions

  • 0.9.0
  • 0.10.3
  • 0.10.4
  • 0.10.5

Campaigns

Indicators

Techniques

Read the full analysis →