registry  /  ulid-xyz  /  2.12.3

ulid-xyz@2.12.3

A universally-unique, lexicographically-sortable, identifier generator

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6672 confirms this npm version as malicious. ulid-xyz is a typosquat of the popular ulid library (sortable unique IDs) and is a cross-platform Remote Access Trojan delivered via a postinstall hook. The package.json postinstall superficially looks like an inline `node -e` guard that checks for the existence of a dist file, but it actually launches dist/node/utils.js as a detached background process, which in turn runs dist/node/payload.js -- a 467 KB bundled...

Advisory
MAL-2026-6672
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in ulid-xyz (npm)
Details
ulid-xyz is a typosquat of the popular ulid library (sortable unique IDs) and is a cross-platform Remote Access Trojan delivered via a postinstall hook. The package.json postinstall superficially looks like an inline `node -e` guard that checks for the existence of a dist file, but it actually launches dist/node/utils.js as a detached background process, which in turn runs dist/node/payload.js -- a 467 KB bundled RAT. payload.js decodes XOR+base64-obfuscated configuration (_CFG.WS / _CFG.HTTP) to beacon to a hardcoded attacker-controlled C2 over WebSocket at ws://95.216.232.162:8010/ (with an HTTP fallback at http://95.216.232.162:8010/), establishing a WebSocket RAT channel. It installs persistence on all three major operating systems under the stem MicrosoftSystem64: on Windows under %LOCALAPPDATA%\MicrosoftSystem64; on macOS under ~/Library/Application Support/MicrosoftSystem64 plus a LaunchAgent at ~/Library/LaunchAgents/com.launchkeeper.MicrosoftSystem64.plist; and on Linux under ~/.local/share/MicrosoftSystem64. The install-time detached spawn (process management capability) and the ~8x package size spike (64 KB to 536 KB) correspond to the bundled RAT payload -- behavior a ULID library has no legitimate need for. All versions of ulid-xyz were published by the same actor (iloiyxo643 / iloiyxo643@ufiwi.space, a disposable email address) and are considered malicious. --- ## Source: amazon-inspector (23041702700830f3caa094b14bf923ac78f81d6d0cef96ec784e948dbe4fc705) Package publishes as 'ulid-xyz' — a name edit away from the established 'ulidx' / 'ulid' libraries — and its README instructs users to `npm install index-ulid` and `import { ulid } from "index-ulid"`, pointing at a second confusable name maintained by the same author. The declared homepage links to the canonical ulid repository (github.com/ulid/javascript), reinforcing the impersonation. package.json declares `scripts.postinstall` that runs `node dist/node/utils.js` after a required-files guard, but `dist/node/utils.js` is absent from this tarball — only `dist/node/index.cjs` and `dist/node/index.js` ship. As published, the guard throws and the postinstall is inert, so no malicious code executes on install in this version. The wired-but-missing lifecycle target combined with the confusable name and a bloated runtime dependency list (pino, ws, zod, esbuild, tsup, ts-node, typescript, @types/node, @types/ws, and a meta `postinstall` package — none required for ULID generation, where the legitimate ulidx ships zero runtime deps) is consistent with a dormant-dropper staging pattern: ship a benign tarball under a confusable name, then publish a future version that fills in the postinstall target. No exfiltration, no install-time RCE, and no silent-relay are present in the current code, so a public block would overclaim the present-version harm. Routing to human review for confusion-risk assessment and so a reviewer can monitor future versions of this name.
Decision reason
OpenSSF Malicious Packages via OSV confirms ulid-xyz@2.12.3 as malicious (MAL-2026-6672): Malicious code in ulid-xyz (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory