-= Per source details. Do not edit below this line.=-
Package name impersonates the NordPass password-manager product while presenting itself as 'A simple authentication module.' The package.json postinstall runs make -C src && cp src/auth_module./bin/flare && node src/install.js. src/install.js is a ~100 KB heavily obfuscated file (obfuscator.io-style string-array decoder with rotation, unicode-escaped identifiers, XOR-numeric literals) that reads /etc/passwd, derives XOR key material from that content combined with hardcoded byte constants, base64-decodes an embedded payload, XOR-decrypts it, and passes the resulting string to eval(). The decode-and-exec path is guarded by anti-analysis checks: a NODE_OPTIONS --inspect check, a Date.now() timing gate, and an OG_-prefixed environment-variable kill switch. A compiled auth_module binary is also staged to ./bin/flare during postinstall. The combination — brand impersonation, obfuscation, host-file read used as key material, base64+XOR+eval of an embedded blob, anti-debug and kill-switch guards, and a staged native binary — executes attacker-controlled code on the installer's machine at npm install time.
The OpenSSF Package Analysis project identified 'nordpass' @ 1.0.2 (npm) as malicious.
It is considered malicious because:
{
"malicious-packages-origins": [
{
"source": "amazon-inspector",
"sha256": "9df6f21fababcd99ba522d380a0729d35aa4ff44ee2f6612fe75b906da844aee",
"import_time": "2026-07-16T18:54:02.211800559Z",
"modified_time": "2026-07-16T18:40:35Z",
"id": "IN-MAL-2026-010741",
"versions": [
"1.0.0"
]
},
{
"sha256": "9924ec9036b6c4caf7436a5e7ba79ed4e1b31fb1732c884d164c340a6982886d",
"versions": [
"1.0.2"
],
"import_time": "2026-07-17T03:07:33.712326401Z",
"source": "ossf-package-analysis",
"modified_time": "2026-07-16T06:35:57Z"
},
{
"sha256": "c1b4ec7d9dfd8f6566efafa88495903265e6c8f4682285066df303a1818f9b1d",
"modified_time": "2026-07-16T06:40:57Z",
"versions": [
"1.0.4"
],
"source": "ossf-package-analysis",
"import_time": "2026-07-17T03:07:33.795182982Z"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "nordpass-1.0.0.tgz",
"hashes": {
"sha1": "52cd40157263d0cafa2378cb2279c21e84f03929",
"sha512_sri": "sha512-hmzbT6JwynecRXqaGJykUQvg/3S2OGfPl9gZ4ALGsRdULPfPjARrKJ6K+kUdPxnM8/N3pSpx2G2tthbZnA5G2Q=="
}
}
],
"evidence_files": [
{
"tlsh": "84a35e1b3dd494f7b1251dbf2e2c498ddb64fc8661b88178a2767827d08747f2aa0336",
"sha256": "32fb104c032b62551ef5e0d12ab4bf742a5c2d11988e12d302a3b8b8ac748a41",
"path": "src/install.js"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nordpass/MAL-2026-10743.json"