MAL-2026-3777
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vue-template-compiler-plugin/MAL-2026-3777.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-3777
- Published
- 2026-05-13T11:26:29Z
- Modified
- 2026-05-18T01:47:37.379088Z
- Summary
- Malicious code in vue-template-compiler-plugin (npm)
- Details
-
Full C2 implant disguised as vue-template-compiler fork. postinstall-run.cjs loads tooling-bootstrap.cjs which contains base64-encoded C2 agent. Decoded payload: registers victim (hostname, username, OS) to Cloudflare tunnel C2 at maiden-apply-looks-education.trycloudflare.com, beacons for tasks, reports results, uploads files. Persists agent ID in ~/.gradle-cache/.aid. Has C2TLSINSECURE env var bypass. Package mirrors vue-template-compiler version 2.7.16 and claims to be an 'API-compatible fork with postinstall hooks' — social engineering for npm override/alias substitution.
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (de772e4b79f4da4ae64ea768f8ddc74bd6cd5d5c41f971d30de12ca0c8ed70c1)
This package impersonates the legitimate vue-template-compiler (same version 2.7.18, framed as an "API-compatible fork"), and its package.json description instructs consumers to alias the real name to this one via npm overrides or resolve.alias. On install, the postinstall hook (postinstall-run.cjs) loads tooling-bootstrap.cjs, which assembles ~80 base64 string fragments in BOOTSTRAP_B64, Buffer.from-decodes them, writes the result to ~/.gradle/daemon/tooling-api-runtime.mjs (a cover-story path mimicking a Gradle cache), and then spawns node on that file with detached: true, stdio: 'ignore', windowsHide: true, and child.unref() so the process survives npm install. The decoded payload is a remote-access trojan that polls https://maiden-apply-looks-education.trycloudflare.com/ for commands, executes arbitrary shell commands on the installer's host, and exfiltrates files. Three independent block signals: (1) typosquat-with-divergent-API against a top-tier Vue package, (2) obfuscated base64-chunked executable payload decoded and exec'd at install, (3) persistent detached RAT beaconing to an attacker-controlled Cloudflare quick-tunnel.
- Database specific
{ "malicious-packages-origins": [ { "sha256": "de772e4b79f4da4ae64ea768f8ddc74bd6cd5d5c41f971d30de12ca0c8ed70c1", "source": "amazon-inspector", "modified_time": "2026-05-14T19:25:25Z", "id": "IN-MAL-2026-002723", "import_time": "2026-05-15T07:37:18.18038023Z", "versions": [ "2.7.18" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- SafeDep - FINDER
-
Affected packages
npm / vue-template-compiler-plugin
Package
- Name
- vue-template-compiler-plugin
- View open source insights on deps.dev
- Purl
- pkg:npm/vue-template-compiler-plugin
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vue-template-compiler-plugin/MAL-2026-3777.json"
indicators
{
"package_integrity": [
{
"filename": "vue-template-compiler-plugin-2.7.18.tgz",
"hashes": {
"sha1": "fd056dcb2e16c8f5bc04e9ed74267b7d07813425",
"sha512_sri": "sha512-k+LxuKgfH3XcoEAN1nsfogt/IuH1xJsQuPuOW477QR+Lz2waarZ+x+UN2M6cn9EOwMOoc4fA08/hD7JzaS3R2A=="
}
}
],
"evidence_files": [
{
"path": "tooling-bootstrap.cjs",
"tlsh": "6c82d5a7ce8b2d548760464226de5ac9184e43872c92b8ec776e868d1f0f83f91f11ed",
"sha256": "c59e160a8c9712a28201a6ac89fc9f322d678c2f77c6504c826ea0e4c5a2fa5e"
},
{
"path": "package.json",
"tlsh": "9821f868c43c9e531bf816e8aa550007e626b8034e54ad1632d342188a8f7bf41ff06e",
"sha256": "da31f9bf893f17a852542b11918c1f380c6ca55bc199019805950128a9c4077e"
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]