malware
npm
@nullzero/urlcat
discovered 2026-06-23Same-actor campaign member. SafeDep could not statically verify the payload (flagged version 1.4.2, postinstall 'node lib/encoder.js', ~41x size spike, was UNPUBLISHED before inspection; tarball returns null). Amazon Inspector's fuller enumeration lists 1.4.0-1.4.3 as malicious and places this package in build cluster B (_0x36b9 / __7D0A53D40B_TAG) alongside @glitchpad/@lazyutil, corroborating the downloader -> Rust infostealer behavior. Attributed by shared publisher infrastructure ([email protected]), build-cluster fingerprint, and external triage c1896. Created 2026-06-04T07:33:08Z.
Threat types
credential_stealer data_exfiltration persistence typosquat
Malicious versions
- 1.4.0
- 1.4.1
- 1.4.2
- 1.4.3