registry  /  @ica-gaming/slot-engine  /  1.1.0

@ica-gaming/slot-engine@1.1.0

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10404 confirms this npm version as malicious. The package presents itself as a deterministic WASM slot-math engine, but slot_engine.wasm embeds obfuscated Node.js modules and Emscripten JS shim helpers that implement a full remote-access and credential-theft toolkit against the consumer host...

Advisory
MAL-2026-10404
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @ica-gaming/slot-engine (npm)
Details
The package presents itself as a deterministic WASM slot-math engine, but slot_engine.wasm embeds obfuscated Node.js modules and Emscripten JS shim helpers that implement a full remote-access and credential-theft toolkit against the consumer host. On invocation, an embedded module opens a Node `require`/`createRequire` context, POSTs an installer-identifying id to a remote HTTPS endpoint on a jittered polling loop, and executes the returned code via `new Function(code)(require)` — giving the operator arbitrary code execution on every poll. WASM-imported helpers additionally: download a Windows `.exe` installer over HTTPS (following redirects) to a temp path and spawn it detached with the silent-install flag `/S`; fetch and extract a macOS `.pkg` via `xar -x`; and write `#!/bin/sh` + `exec node` polyglot wrapper scripts with mode 0755. Separate helpers enumerate Chromium-family and Firefox-family browser profile directories (Chrome, Brave, Edge, Opera, Vivaldi, Chromium, Firefox, Waterfox, LibreWolf, Pale Moon) for Login Data / logins.json / Cookies / Local Storage / IndexedDB / extension wallet stores, walk the home directory for wallet/keystore/.dat files, and read shell-history dotfiles, then package matching content for exfiltration through the C2 channel. The Emscripten shim and both embedded ES modules are obfuscator.io-transformed (rotated base64 string arrays, dispatchers, arithmetic-noise constants, self-defending IIFE); legitimate Emscripten output is not obfuscated. Cover strings such as 'Compiling engine dependencies. This may take a while on initial startup...' are embedded to disguise payload staging as normal engine initialization.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedTrivial
Manifest
NoLicense
scanned 1 file(s), 192 KB of source

Source & flagged code

4 flagged · loading source
slot_engine.jsView file
1async function createSlotEngine(moduleArg={}){var moduleRtn;var Module=moduleArg;var ENVIRONMENT_IS_NODE=true;var arguments_=[];var thisProgram="./this.program";var quit_=(status,t... L2: ;return moduleRtn}if(typeof exports==="object"&&typeof module==="object"){module.exports=createSlotEngine;module.exports.default=createSlotEngine}else if(typeof define==="function"...
High
Child Process

Package source references child process execution.

slot_engine.jsView on unpkg · L1
1async function createSlotEngine(moduleArg={}){var moduleRtn;var Module=moduleArg;var ENVIRONMENT_IS_NODE=true;var arguments_=[];var thisProgram="./this.program";var quit_=(status,t... L2: ;return moduleRtn}if(typeof exports==="object"&&typeof module==="object"){module.exports=createSlotEngine;module.exports.default=createSlotEngine}else if(typeof define==="function"...
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

slot_engine.jsView on unpkg · L1
1async function createSlotEngine(moduleArg={}){var moduleRtn;var Module=moduleArg;var ENVIRONMENT_IS_NODE=true;var arguments_=[];var thisProgram="./this.program";var quit_=(status,t... L2: ;return moduleRtn}if(typeof exports==="object"&&typeof module==="object"){module.exports=createSlotEngine;module.exports.default=createSlotEngine}else if(typeof define==="function"...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

slot_engine.jsView on unpkg · L1
slot_engine.wasmView file
path = slot_engine.wasm kind = wasm_module sizeBytes = 61584 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

slot_engine.wasmView on unpkg

Findings

4 High4 Medium3 Low
HighChild Processslot_engine.js
HighSame File Env Network Executionslot_engine.js
HighObfuscated Payload Loaderslot_engine.js
HighObfuscated
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Moduleslot_engine.wasm
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowNo License