MAL-2026-6672

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ulid-xyz/MAL-2026-6672.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6672
Published
2026-06-29T00:00:00Z
Modified
2026-07-09T16:32:03.722527796Z
Summary
Malicious code in ulid-xyz (npm)
Details

ulid-xyz is a typosquat of the popular ulid library (sortable unique IDs) and is a cross-platform Remote Access Trojan delivered via a postinstall hook. The package.json postinstall superficially looks like an inline node -e guard that checks for the existence of a dist file, but it actually launches dist/node/utils.js as a detached background process, which in turn runs dist/node/payload.js -- a 467 KB bundled RAT. payload.js decodes XOR+base64-obfuscated configuration (_CFG.WS / _CFG.HTTP) to beacon to a hardcoded attacker-controlled C2 over WebSocket at ws://95.216.232.162:8010/ (with an HTTP fallback at http://95.216.232.162:8010/), establishing a WebSocket RAT channel. It installs persistence on all three major operating systems under the stem MicrosoftSystem64: on Windows under %LOCALAPPDATA%\MicrosoftSystem64; on macOS under ~/Library/Application Support/MicrosoftSystem64 plus a LaunchAgent at ~/Library/LaunchAgents/com.launchkeeper.MicrosoftSystem64.plist; and on Linux under ~/.local/share/MicrosoftSystem64. The install-time detached spawn (process management capability) and the ~8x package size spike (64 KB to 536 KB) correspond to the bundled RAT payload -- behavior a ULID library has no legitimate need for. All versions of ulid-xyz were published by the same actor (iloiyxo643 / iloiyxo643@ufiwi.space, a disposable email address) and are considered malicious.


-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (23041702700830f3caa094b14bf923ac78f81d6d0cef96ec784e948dbe4fc705)

Package publishes as 'ulid-xyz' — a name edit away from the established 'ulidx' / 'ulid' libraries — and its README instructs users to npm install index-ulid and import { ulid } from "index-ulid", pointing at a second confusable name maintained by the same author. The declared homepage links to the canonical ulid repository (github.com/ulid/javascript), reinforcing the impersonation. package.json declares scripts.postinstall that runs node dist/node/utils.js after a required-files guard, but dist/node/utils.js is absent from this tarball — only dist/node/index.cjs and dist/node/index.js ship. As published, the guard throws and the postinstall is inert, so no malicious code executes on install in this version. The wired-but-missing lifecycle target combined with the confusable name and a bloated runtime dependency list (pino, ws, zod, esbuild, tsup, ts-node, typescript, @types/node, @types/ws, and a meta postinstall package — none required for ULID generation, where the legitimate ulidx ships zero runtime deps) is consistent with a dormant-dropper staging pattern: ship a benign tarball under a confusable name, then publish a future version that fills in the postinstall target. No exfiltration, no install-time RCE, and no silent-relay are present in the current code, so a public block would overclaim the present-version harm. Routing to human review for confusion-risk assessment and so a reviewer can monitor future versions of this name.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "5bf783a4cfc3bed5bff2b0fb13d8a258b73975f26522a02835d0ceca6617a7b3",
            "id": "IN-MAL-2026-008956",
            "import_time": "2026-07-08T23:27:55.611565194Z",
            "modified_time": "2026-07-08T22:57:54Z",
            "versions": [
                "3.2.3"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "3.2.4"
            ],
            "id": "IN-MAL-2026-008995",
            "import_time": "2026-07-08T23:27:58.131458911Z",
            "modified_time": "2026-07-08T23:03:28Z",
            "sha256": "7a5a0d54d479c79e864c40664737bacecb36d3db5f2a9e057a675f2676fbf64e",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "3.1.0"
            ],
            "id": "IN-MAL-2026-008992",
            "import_time": "2026-07-08T23:27:57.925984015Z",
            "modified_time": "2026-07-08T23:03:03Z",
            "sha256": "8813adaf661e003f6fd912fb4ccb2e5ab0e03ad0f59b22bcd383e437809a39a5",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "2.12.1"
            ],
            "id": "IN-MAL-2026-008979",
            "import_time": "2026-07-08T23:27:57.030438293Z",
            "sha256": "23041702700830f3caa094b14bf923ac78f81d6d0cef96ec784e948dbe4fc705",
            "modified_time": "2026-07-08T23:01:08Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "4694d7ae5e45aba5bd778dfb392fbb5f74eb656d5e8776f5d764fcdf14752199",
            "id": "IN-MAL-2026-008963",
            "import_time": "2026-07-08T23:27:55.988638004Z",
            "modified_time": "2026-07-08T22:58:54Z",
            "versions": [
                "3.2.2"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "5b10656015ed6acb83ec8adc3c6d2df6f689fa4df07d9919d960601f37925bfe",
            "id": "IN-MAL-2026-008964",
            "import_time": "2026-07-08T23:27:56.034403557Z",
            "modified_time": "2026-07-08T22:59:03Z",
            "versions": [
                "3.2.1"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "2.12.2"
            ],
            "id": "IN-MAL-2026-009198",
            "import_time": "2026-07-09T16:20:50.527212591Z",
            "sha256": "dd2787ff09af17aca56837745858f6000ae5807fb4b2533af5ee9894eda025de",
            "modified_time": "2026-07-09T15:42:39Z",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "2.12.3"
            ],
            "id": "IN-MAL-2026-009199",
            "import_time": "2026-07-09T16:20:50.601518986Z",
            "modified_time": "2026-07-09T15:42:46Z",
            "sha256": "99061d362d2397b2f7764034eb262faeff455cd9a844857362e8856503d7842f",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "3.2.0"
            ],
            "id": "IN-MAL-2026-009200",
            "import_time": "2026-07-09T16:20:50.685797752Z",
            "modified_time": "2026-07-09T15:42:55Z",
            "sha256": "9ceddd9d7a11efd9e91cd3311d4493ae74b8eea902c89c50f9a34ecff1f991a7",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / ulid-xyz

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.12.1
2.12.2
2.12.3
3.*
3.1.0
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "ulid-xyz-3.2.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-5NhBaJCLo5YIDVb3KzJgDG2SvxtBGSf9OykOL7giFamQfS4VK5pRcG6EkYdi5nE9gzgnMdojnvRNf8v9CntLsw==",
                "sha1": "b8a8f3e76d3dbcd973df0f9c7c29e2d427b62288"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "55c6deeed25a2bcd08c63ec49e5b37d13d177264e51d14750a0358d271bde078",
            "tlsh": "15b1a65b2d4122760d92e3c209c5b694ebe9b23d265040dcb87d523c33a7b57027feea",
            "path": "README.md"
        },
        {
            "sha256": "b07c33ec30d4ea48ed223f6b907e338c7956f66a352b43d03eec728c23fcbe1e",
            "tlsh": "1d511225cda90d730ac02598ecbe4695a536845b8dd0f9487399421d0fcc3af01ff2ee",
            "path": "package.json"
        }
    ]
}
iocs
{
    "ips": [
        "95.216.232.162"
    ],
    "urls": [
        "ws://95.216.232.162:8010/",
        "http://95.216.232.162:8010/"
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ulid-xyz/MAL-2026-6672.json"