OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10438 confirms this npm version as malicious. On install, setup.js walks up to the installer's project tree and scans image files for a '__STEG__' marker. When found, it AES-256-CBC-decrypts an embedded steganographic payload that points to a file inside the installer's node_modules and uses a regex (`cli.command("build [root]"...finally{...}`) to patch that third-party CLI's build command, prepending an import of netspeedutil/inject.js and an `await inject()`...
Advisory
MAL-2026-10438
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in netspeedutil (npm)
Details
On install, setup.js walks up to the installer's project tree and scans image files for a '__STEG__' marker. When found, it AES-256-CBC-decrypts an embedded steganographic payload that points to a file inside the installer's node_modules and uses a regex (`cli.command("build [root]"...finally{...}`) to patch that third-party CLI's build command, prepending an import of netspeedutil/inject.js and an `await inject()` call inside the build's finally block. Once tampered, every subsequent project build runs inject.js, which uses javascript-obfuscator (control-flow flattening, dead-code injection, base64 string-array encoding) to embed an obfuscated client into dist/index.html. That client opens a WebRTC TURN connection to a hardcoded attacker host at 13.234.111.178:3478 as a covert C2 / signaling channel and renders attacker-supplied DOM content to end users of any site the developer ships. The package's stated purpose ('Fast string matching and pattern validation utilities') is a cover story unrelated to the actual code. This is a build-pipeline supply-chain compromise: the installer's production artifacts are silently weaponized against their own end users.
Decision reason
OpenSSF Malicious Packages via OSV confirms netspeedutil@1.0.13 as malicious (MAL-2026-10438): Malicious code in netspeedutil (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory