MAL-2026-6311

@thymelab/logfx (malicious version 2.15.5, published by thymelab-v0et8w@wshu.net) is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern <scope>-<6 random chars>@wshu.net, with every scope created on June 4, 2026 in a ~40-minute burst. This package masquerades as a logger and ships real, working utility code so it passes a glance, while bundling a much larger malicious payload at dist/bootstrap.js. package.json declares a postinstall hook ("node dist/bootstrap.js") that runs the payload automatically on npm install. The payload is heavily obfuscated with javascript-obfuscator (hex-named identifiers, a while (!![]) array-rotation IIFE, base64+RC4 string decoding, control-flow flattening, and runtime-decrypted module resolution to stay out of the static module graph). At runtime it is a Chromium browser credential stealer: it reads Chromium Cookies and Login Data and decrypts saved passwords protected by AES-256-GCM (the v10/v11 app-bound key schemes), then exfiltrates them over HTTPS using a spoofed Mozilla/5.0 user agent. Malicious payload dist/bootstrap.js SHA-256: 4e927f22ad04f4ac9b487ae11412fc2a55210188789ac29f3a47ad77931907a5.

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (edce595ab99f7bcc5404f8c1222a1d8f5a7cbbb1fc6cd6e02aabddaf19526839)

@thymelab/logfx@2.15.5 ships a postinstall hook (postinstall: node dist/bootstrap.js) that runs a 282KB obfuscator.io-packed script on every npm install. The decoded control flow performs HTTPS GETs to a runtime-decrypted URL, AES-256-GCM-decrypts the response using an embedded key, sha256-verifies, stages files into os.tmpdir(), chmod's them, and re-spawns them via process.execPath using child_process.spawn with detached/unref'd handles. The script disables itself when --inspect/--debug are present (anti-analysis). The destination URL and decryption key are not pinned plaintext — they are decrypted at runtime, giving the publisher a mutable, attacker-controlled execution channel into every installer. Independently, dist/logfx.js is a near-verbatim copy of the unjs/consola logger and package.json.repository/bugs.url falsely point to github.com/unjs/consola, impersonating that project; an appended IIFE wraps the exported withTag API to call require('./bootstrap').runPrepare(), so the dropper also detonates when a consumer simply imports the package and uses its documented API. The combination of opaque obfuscation, runtime-decrypted remote URL, tmpdir staging with execPath respawn, anti-debug guard, and import-time trigger is a hostile install-time dropper, not a logging utility.