OSV Malicious Advisory
scanned 14h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10743 confirms this npm version as malicious. Package name impersonates the NordPass password-manager product while presenting itself as 'A simple authentication module.' The package.json postinstall runs `make -C src && cp src/auth_module./bin/flare && node src/install.js`. src/install.js is a ~100 KB heavily obfuscated file (obfuscator.io-style string-array decoder with rotation, unicode-escaped identifiers, XOR-numeric literals) that reads /etc/passwd,...
Advisory
MAL-2026-10743
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in nordpass (npm)
Details
Package name impersonates the NordPass password-manager product while presenting itself as 'A simple authentication module.' The package.json postinstall runs `make -C src && cp src/auth_module./bin/flare && node src/install.js`. src/install.js is a ~100 KB heavily obfuscated file (obfuscator.io-style string-array decoder with rotation, unicode-escaped identifiers, XOR-numeric literals) that reads /etc/passwd, derives XOR key material from that content combined with hardcoded byte constants, base64-decodes an embedded payload, XOR-decrypts it, and passes the resulting string to eval(). The decode-and-exec path is guarded by anti-analysis checks: a NODE_OPTIONS `--inspect` check, a Date.now() timing gate, and an `OG_`-prefixed environment-variable kill switch. A compiled `auth_module` binary is also staged to `./bin/flare` during postinstall. The combination — brand impersonation, obfuscation, host-file read used as key material, base64+XOR+eval of an embedded blob, anti-debug and kill-switch guards, and a staged native binary — executes attacker-controlled code on the installer's machine at `npm install` time.
## Source: ossf-package-analysis (9924ec9036b6c4caf7436a5e7ba79ed4e1b31fb1732c884d164c340a6982886d) The OpenSSF Package Analysis project identified 'nordpass' @ 1.0.2 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
Decision reason
OpenSSF Malicious Packages via OSV confirms nordpass@1.0.0 as malicious (MAL-2026-10743): Malicious code in nordpass (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory