MAL-2026-10743

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nordpass/MAL-2026-10743.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10743
Published
2026-07-16T06:35:57Z
Modified
2026-07-17T03:19:27.216632760Z
Summary
Malicious code in nordpass (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9df6f21fababcd99ba522d380a0729d35aa4ff44ee2f6612fe75b906da844aee)

Package name impersonates the NordPass password-manager product while presenting itself as 'A simple authentication module.' The package.json postinstall runs make -C src && cp src/auth_module./bin/flare && node src/install.js. src/install.js is a ~100 KB heavily obfuscated file (obfuscator.io-style string-array decoder with rotation, unicode-escaped identifiers, XOR-numeric literals) that reads /etc/passwd, derives XOR key material from that content combined with hardcoded byte constants, base64-decodes an embedded payload, XOR-decrypts it, and passes the resulting string to eval(). The decode-and-exec path is guarded by anti-analysis checks: a NODE_OPTIONS --inspect check, a Date.now() timing gate, and an OG_-prefixed environment-variable kill switch. A compiled auth_module binary is also staged to ./bin/flare during postinstall. The combination — brand impersonation, obfuscation, host-file read used as key material, base64+XOR+eval of an embedded blob, anti-debug and kill-switch guards, and a staged native binary — executes attacker-controlled code on the installer's machine at npm install time.

Source: ossf-package-analysis (9924ec9036b6c4caf7436a5e7ba79ed4e1b31fb1732c884d164c340a6982886d)

The OpenSSF Package Analysis project identified 'nordpass' @ 1.0.2 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.
Database specific
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "sha256": "9df6f21fababcd99ba522d380a0729d35aa4ff44ee2f6612fe75b906da844aee",
            "import_time": "2026-07-16T18:54:02.211800559Z",
            "modified_time": "2026-07-16T18:40:35Z",
            "id": "IN-MAL-2026-010741",
            "versions": [
                "1.0.0"
            ]
        },
        {
            "sha256": "9924ec9036b6c4caf7436a5e7ba79ed4e1b31fb1732c884d164c340a6982886d",
            "versions": [
                "1.0.2"
            ],
            "import_time": "2026-07-17T03:07:33.712326401Z",
            "source": "ossf-package-analysis",
            "modified_time": "2026-07-16T06:35:57Z"
        },
        {
            "sha256": "c1b4ec7d9dfd8f6566efafa88495903265e6c8f4682285066df303a1818f9b1d",
            "modified_time": "2026-07-16T06:40:57Z",
            "versions": [
                "1.0.4"
            ],
            "source": "ossf-package-analysis",
            "import_time": "2026-07-17T03:07:33.795182982Z"
        }
    ]
}
References
Credits

Affected packages

npm / nordpass

Package

Affected ranges

Affected versions

1.*
1.0.0
1.0.2
1.0.4

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "nordpass-1.0.0.tgz",
            "hashes": {
                "sha1": "52cd40157263d0cafa2378cb2279c21e84f03929",
                "sha512_sri": "sha512-hmzbT6JwynecRXqaGJykUQvg/3S2OGfPl9gZ4ALGsRdULPfPjARrKJ6K+kUdPxnM8/N3pSpx2G2tthbZnA5G2Q=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "84a35e1b3dd494f7b1251dbf2e2c498ddb64fc8661b88178a2767827d08747f2aa0336",
            "sha256": "32fb104c032b62551ef5e0d12ab4bf742a5c2d11988e12d302a3b8b8ac748a41",
            "path": "src/install.js"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nordpass/MAL-2026-10743.json"