malware
npm
@glitchpad/throttler
discovered 2026-06-23Campaign member, masquerades as a throttler utility (ships a genuine throttler as decoy). Version 2.2.3 ships a ~263KB obfuscated downloader payload (primer.cjs) auto-executed via postinstall 'node ./primer.cjs'. Amazon Inspector's fuller enumeration lists 2.1.1 and 2.2.1-2.2.4 as malicious. Same execution wrapper and obfuscator template as the root lineage; build cluster B (string-array fn _0x36b9, guard __7D0A53D40B_TAG), shared with @nullzero/@lazyutil. Downloader -> Rust infostealer chain per Amazon Inspector.
Threat types
credential_stealer data_exfiltration persistence typosquat
Malicious versions
- 2.1.1
- 2.2.1
- 2.2.2
- 2.2.3 · c78651dde9b6a966…
- 2.2.4