MAL-2026-5342

kecak256 is a typosquat of the popular keccak256 package (one c dropped) that ships a credential-stealing payload executed automatically on install.

The package spoofs the legitimate keccak256 project — author "Miguel Mota", matching description, README, and keywords — and includes a benign decoy hash implementation (kecak256.js) as main.

package.json defines scripts.postinstall: node init.m.js && echo DONE, and declares archiver, axios, and form-data as runtime dependencies (the exfiltration toolchain).

init.m.js (launcher): RC4 + base64 string obfuscation. On Windows it spawns a hidden PowerShell (-WindowStyle Hidden -ExecutionPolicy Bypass) that Start-Process-launches upchk.m.js under node; on other platforms it spawns node upchk.m.js detached ({detached:true, windowsHide:true, stdio:'ignore'}) and calls child.unref() to orphan the process.

upchk.m.js (stage 2, ~63 KB obfuscated): performs an isAdmin() privilege check, targets browser/credential stores (observed string targets include Chrome Login Data, keystore, cc_appkey), archives collected data into npmupdate.zip via archiver, and exfiltrates it in 5 MB chunks via axios + FormData to a runtime-decoded C2 URL (uploadFileChunks(file, sUrl, 5MB)).

-= Per source details. Do not edit below this line.=-

Source: ghsa-malware (558c8dc29d2f864f51bea9c39fd8af25714a650a35d008d4142acd5c402a1b3c)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.