malware npm

@nullzero/urlcat

discovered 2026-06-23

Same-actor campaign member. SafeDep could not statically verify the payload (flagged version 1.4.2, postinstall 'node lib/encoder.js', ~41x size spike, was UNPUBLISHED before inspection; tarball returns null). Amazon Inspector's fuller enumeration lists 1.4.0-1.4.3 as malicious and places this package in build cluster B (_0x36b9 / __7D0A53D40B_TAG) alongside @glitchpad/@lazyutil, corroborating the downloader -> Rust infostealer behavior. Attributed by shared publisher infrastructure ([email protected]), build-cluster fingerprint, and external triage c1896. Created 2026-06-04T07:33:08Z.

Threat types

credential_stealer data_exfiltration persistence typosquat

Malicious versions

  • 1.4.0
  • 1.4.1
  • 1.4.2
  • 1.4.3

Campaigns

Indicators

Techniques

Read the full analysis →