ulid-xyz is a typosquat of the popular ulid library (sortable unique IDs) and is a cross-platform Remote Access Trojan delivered via a postinstall hook. The package.json postinstall superficially looks like an inline node -e guard that checks for the existence of a dist file, but it actually launches dist/node/utils.js as a detached background process, which in turn runs dist/node/payload.js -- a 467 KB bundled RAT. payload.js decodes XOR+base64-obfuscated configuration (_CFG.WS / _CFG.HTTP) to beacon to a hardcoded attacker-controlled C2 over WebSocket at ws://95.216.232.162:8010/ (with an HTTP fallback at http://95.216.232.162:8010/), establishing a WebSocket RAT channel. It installs persistence on all three major operating systems under the stem MicrosoftSystem64: on Windows under %LOCALAPPDATA%\MicrosoftSystem64; on macOS under ~/Library/Application Support/MicrosoftSystem64 plus a LaunchAgent at ~/Library/LaunchAgents/com.launchkeeper.MicrosoftSystem64.plist; and on Linux under ~/.local/share/MicrosoftSystem64. The install-time detached spawn (process management capability) and the ~8x package size spike (64 KB to 536 KB) correspond to the bundled RAT payload -- behavior a ULID library has no legitimate need for. All versions of ulid-xyz were published by the same actor (iloiyxo643 / iloiyxo643@ufiwi.space, a disposable email address) and are considered malicious.
-= Per source details. Do not edit below this line.=-
Package publishes as 'ulid-xyz' — a name edit away from the established 'ulidx' / 'ulid' libraries — and its README instructs users to npm install index-ulid and import { ulid } from "index-ulid", pointing at a second confusable name maintained by the same author. The declared homepage links to the canonical ulid repository (github.com/ulid/javascript), reinforcing the impersonation. package.json declares scripts.postinstall that runs node dist/node/utils.js after a required-files guard, but dist/node/utils.js is absent from this tarball — only dist/node/index.cjs and dist/node/index.js ship. As published, the guard throws and the postinstall is inert, so no malicious code executes on install in this version. The wired-but-missing lifecycle target combined with the confusable name and a bloated runtime dependency list (pino, ws, zod, esbuild, tsup, ts-node, typescript, @types/node, @types/ws, and a meta postinstall package — none required for ULID generation, where the legitimate ulidx ships zero runtime deps) is consistent with a dormant-dropper staging pattern: ship a benign tarball under a confusable name, then publish a future version that fills in the postinstall target. No exfiltration, no install-time RCE, and no silent-relay are present in the current code, so a public block would overclaim the present-version harm. Routing to human review for confusion-risk assessment and so a reviewer can monitor future versions of this name.
{
"malicious-packages-origins": [
{
"sha256": "5bf783a4cfc3bed5bff2b0fb13d8a258b73975f26522a02835d0ceca6617a7b3",
"id": "IN-MAL-2026-008956",
"import_time": "2026-07-08T23:27:55.611565194Z",
"modified_time": "2026-07-08T22:57:54Z",
"versions": [
"3.2.3"
],
"source": "amazon-inspector"
},
{
"versions": [
"3.2.4"
],
"id": "IN-MAL-2026-008995",
"import_time": "2026-07-08T23:27:58.131458911Z",
"modified_time": "2026-07-08T23:03:28Z",
"sha256": "7a5a0d54d479c79e864c40664737bacecb36d3db5f2a9e057a675f2676fbf64e",
"source": "amazon-inspector"
},
{
"versions": [
"3.1.0"
],
"id": "IN-MAL-2026-008992",
"import_time": "2026-07-08T23:27:57.925984015Z",
"modified_time": "2026-07-08T23:03:03Z",
"sha256": "8813adaf661e003f6fd912fb4ccb2e5ab0e03ad0f59b22bcd383e437809a39a5",
"source": "amazon-inspector"
},
{
"versions": [
"2.12.1"
],
"id": "IN-MAL-2026-008979",
"import_time": "2026-07-08T23:27:57.030438293Z",
"sha256": "23041702700830f3caa094b14bf923ac78f81d6d0cef96ec784e948dbe4fc705",
"modified_time": "2026-07-08T23:01:08Z",
"source": "amazon-inspector"
},
{
"sha256": "4694d7ae5e45aba5bd778dfb392fbb5f74eb656d5e8776f5d764fcdf14752199",
"id": "IN-MAL-2026-008963",
"import_time": "2026-07-08T23:27:55.988638004Z",
"modified_time": "2026-07-08T22:58:54Z",
"versions": [
"3.2.2"
],
"source": "amazon-inspector"
},
{
"sha256": "5b10656015ed6acb83ec8adc3c6d2df6f689fa4df07d9919d960601f37925bfe",
"id": "IN-MAL-2026-008964",
"import_time": "2026-07-08T23:27:56.034403557Z",
"modified_time": "2026-07-08T22:59:03Z",
"versions": [
"3.2.1"
],
"source": "amazon-inspector"
},
{
"versions": [
"2.12.2"
],
"id": "IN-MAL-2026-009198",
"import_time": "2026-07-09T16:20:50.527212591Z",
"sha256": "dd2787ff09af17aca56837745858f6000ae5807fb4b2533af5ee9894eda025de",
"modified_time": "2026-07-09T15:42:39Z",
"source": "amazon-inspector"
},
{
"versions": [
"2.12.3"
],
"id": "IN-MAL-2026-009199",
"import_time": "2026-07-09T16:20:50.601518986Z",
"modified_time": "2026-07-09T15:42:46Z",
"sha256": "99061d362d2397b2f7764034eb262faeff455cd9a844857362e8856503d7842f",
"source": "amazon-inspector"
},
{
"versions": [
"3.2.0"
],
"id": "IN-MAL-2026-009200",
"import_time": "2026-07-09T16:20:50.685797752Z",
"modified_time": "2026-07-09T15:42:55Z",
"sha256": "9ceddd9d7a11efd9e91cd3311d4493ae74b8eea902c89c50f9a34ecff1f991a7",
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "ulid-xyz-3.2.3.tgz",
"hashes": {
"sha512_sri": "sha512-5NhBaJCLo5YIDVb3KzJgDG2SvxtBGSf9OykOL7giFamQfS4VK5pRcG6EkYdi5nE9gzgnMdojnvRNf8v9CntLsw==",
"sha1": "b8a8f3e76d3dbcd973df0f9c7c29e2d427b62288"
}
}
],
"evidence_files": [
{
"sha256": "55c6deeed25a2bcd08c63ec49e5b37d13d177264e51d14750a0358d271bde078",
"tlsh": "15b1a65b2d4122760d92e3c209c5b694ebe9b23d265040dcb87d523c33a7b57027feea",
"path": "README.md"
},
{
"sha256": "b07c33ec30d4ea48ed223f6b907e338c7956f66a352b43d03eec728c23fcbe1e",
"tlsh": "1d511225cda90d730ac02598ecbe4695a536845b8dd0f9487399421d0fcc3af01ff2ee",
"path": "package.json"
}
]
}
{
"ips": [
"95.216.232.162"
],
"urls": [
"ws://95.216.232.162:8010/",
"http://95.216.232.162:8010/"
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ulid-xyz/MAL-2026-6672.json"