OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-5827 confirms this npm version as malicious. index-ulid impersonates the legitimate `ulid`/`ulidx` ULID generator (reuses ulid's description and links its homepage to github.com/ulid/javascript) but its `postinstall` script (package.json line 36: `node dist/node/utils.js`) is a cross-platform dropper. utils.js detaches with `--bg`, copies the bundled `dist/node/payload.js` into a directory named `MicrosoftSystem64` under the user's data-local directory...
Advisory
MAL-2026-5827
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in index-ulid (npm)
Details
index-ulid impersonates the legitimate `ulid`/`ulidx` ULID generator (reuses ulid's description and links its homepage to github.com/ulid/javascript) but its `postinstall` script (package.json line 36: `node dist/node/utils.js`) is a cross-platform dropper. utils.js detaches with `--bg`, copies the bundled `dist/node/payload.js` into a directory named `MicrosoftSystem64` under the user's data-local directory (utils.js:7 `var UNIT_STEM = "MicrosoftSystem64"`) to disguise it as a Microsoft system component, then installs persistence on every major OS: Windows `schtasks /create /sc ONLOGON` (with a Registry Run key fallback), macOS detached spawn, and Linux `systemd --user` service or `~/.config/autostart`. The dropped binary is then launched in the background as `node payload.js --agent` (utils.js:75-79 `spawn(process.execPath, [jsPath, "--agent"], { detached: true })`). The 949 KB `payload.js` bundles a WebSocket client/server (`ws`), pino, zod, and contains string references to `/api/validate`, `/api/hf`, `https://huggingface.co/api`, and `Telegram` — a long-running C2 agent that beacons to remote services from every installer host. Both the postinstall and the agent contain a sandbox-evasion CPU gate (utils.js:155 skips when `cpus.length <= 4`; payload.js cpu-guard sets `MIN_CPU_COUNT = 5` and exits otherwise) so the dropper only fires on real developer/server machines and stays silent in malware sandboxes and small CI runners. None of this behavior is justified by a ULID library; the package is a typosquat lure for a persistent backdoor.
## Source: ghsa-malware (2b76e83c1fff9149fa6fd29f8c1ae854a428055508c5b0329b52ba444d5cf464) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms index-ulid@3.0.2 as malicious (MAL-2026-5827): Malicious code in index-ulid (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory