MAL-2026-4198

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/terminal-logger-utils/MAL-2026-4198.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4198
Aliases
  • GHSA-h9jr-prgp-c322
Published
2026-05-20T06:43:15Z
Modified
2026-05-26T06:02:59.532812946Z
Summary
Malicious code in terminal-logger-utils (npm)
Details

terminal-logger-utils is a malicious npm package that when installed executes a postinstall hook that opens utils.cjs, an obfuscated malware dropper. The dropper checks the current system, downloads a platform-specific second-stage binary from Hugging Face, and executes it.

The second-stage payload is a bundled Node.js executable with embedded malicious JavaScript that provides keylogger, infostealer, and RAT behavior. It collects clipboard and keyboard events, tracks password-field typing, steals sensitive local data including Telegram Desktop sessions, browser login databases, crypto wallets, SSH keys, cloud configurations, environment variables, and keyword-matched files, and connects to a remote server for full machine control.

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9f3e7beb4e0d682d701e7f8b2f2ee043d4cda378963b0786e75775471839bc6a)

Package self-describes as a zero-dependency colorized logger but ships a 264KB heavily obfuscated postinstall script (utils.cjs, invoked via package.json scripts.postinstall). On install, the script first re-spawns itself detached from npm and exits 0 so npm install returns success while the dropper continues silently. It then decodes a hardcoded download URL and bearer token from an obfuscator.io-style RC4/XOR string array, fetches a platform-specific binary (linux-x64, linux-arm64, darwin-x64, darwin-arm64) using Authorization: Bearer <token>, writes it to the user data dir as node-logger-base64, chmod 0755, and spawns it detached with no hash or signature verification. It then installs OS-level persistence so the binary auto-launches at every user login: a Windows HKCU\Software\Microsoft\Windows\CurrentVersion\Run entry via reg add, a macOS LaunchAgent plist under ~/Library/LaunchAgents/, and on Linux both a ~/.config/systemd/user/<stem>.service unit (enabled via systemctl --user) and a ~/.config/autostart/<stem>.desktop entry. None of this is documented in the README. The combination of obfuscated install-time remote-binary fetch + cross-platform persistence + self-detach evasion is an unambiguous dropper / backdoor pattern.

Source: ghsa-malware (73f1923a0299add681c39d15421a3585e277ee2b66847f8e7aeec028e6f37d22)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific 
{
    "malicious-packages-origins": [
        {
            "sha256": "73f1923a0299add681c39d15421a3585e277ee2b66847f8e7aeec028e6f37d22",
            "id": "GHSA-h9jr-prgp-c322",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "modified_time": "2026-05-22T15:58:28Z",
            "source": "ghsa-malware",
            "import_time": "2026-05-22T16:59:25.100294648Z"
        },
        {
            "sha256": "7d85d445a8728a37fb4c6086f1cee659fafcd3d1ffff587d3339e0b3436231c1",
            "import_time": "2026-05-26T05:51:15.986178862Z",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T06:40:41Z",
            "versions": [
                "1.1.2"
            ],
            "id": "IN-MAL-2026-003762"
        },
        {
            "sha256": "9f3e7beb4e0d682d701e7f8b2f2ee043d4cda378963b0786e75775471839bc6a",
            "import_time": "2026-05-26T05:51:15.849785087Z",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T06:40:40Z",
            "versions": [
                "1.1.2"
            ],
            "id": "IN-MAL-2026-003761"
        }
    ]
}
References
Credits

Affected packages

npm / terminal-logger-utils

Package

Name
terminal-logger-utils
View open source insights on deps.dev
Purl
pkg:npm/terminal-logger-utils

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.1.0
1.1.1
1.1.2

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/terminal-logger-utils/MAL-2026-4198.json"
cwes 
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
indicators 
{
    "domains": [
        "34.9.16.104.in-addr.arpa"
    ],
    "evidence_files": [
        {
            "sha256": "b42ccbc86e06451f2aae3b865765280e6d3ec7611b5d4e81c0c06d39f3889623",
            "tlsh": "e544b58477c67c8212075777731ab2e5e93add94b08c449df540bc68f0ada2bfae0a71",
            "path": "utils.cjs"
        }
    ],
    "package_integrity": [
        {
            "filename": "terminal-logger-utils-1.1.2.tgz",
            "hashes": {
                "sha1": "9b950063519205e7926eb27ec9cbdd0790e5c8eb",
                "sha512_sri": "sha512-Bjb500zLWEX8JtKeLtjabzG3xgUa34LMVj4yuRtv/SP7v2nvi/+pJuDQpxrRSmsfk5UP4of5KCKpzgJbVMKDSA=="
            }
        }
    ]
}