malware npm

@petitcode/eb-retry

discovered 2026-06-23

Campaign member, decoy is a near-verbatim copy of the legitimate 'retry' package. Version 1.3.5 ships a 282KB obfuscated payload (lib/warmup.js) auto-executed via postinstall 'node lib/warmup.js'. Dual trigger: also fires at require-time because the exported retry() in lib/index.js calls warmup.runPrepare(), so the payload runs the first time application code calls retry() even when postinstall is skipped with --ignore-scripts.

Threat types

credential_stealer data_exfiltration persistence typosquat

Malicious versions

  • 1.3.5 · d75a372e91c4972e…

Campaigns

Indicators

Techniques

Read the full analysis →