url-encode-decode@1.0.2Malicious

Verified

Analysed at: 11/24/25, 11:25 AM

Source: https://registry.npmjs.org/url-encode-decode/-/url-encode-decode-1.0.2.tgz

SHA256: bd39d673d7dd4292c5c00f99d10e4e5ad61914981e2c75cf496c4482376d15d3

Confidence: High

Summary

Note: This report is updated by a verification record

Suspicious preinstall script executing arbitrary code and accessing bash startup files indicates malicious activity. Package is classified as malware.

Verification Record

Confirmed malicious package as part of coordinated supply chain attack targeting npm ecosystem

Details

Note: This report is updated by a verification record

The package exhibits multiple suspicious behaviors. The package.json contains a preinstall script executing node setup_bun.js, allowing arbitrary code execution during installation. Both bun_environment.js and setup_bun.js trigger the bash_persist_persistent YARA rule, indicating access to multiple bash startup files, a common persistence technique. The combination of these factors strongly suggests malicious intent.

Summary

Note: This report is updated by a verification record

Suspicious preinstall script executing arbitrary code and accessing bash startup files indicates malicious activity. Package is classified as malware.

Verification Record

Confirmed malicious package as part of coordinated supply chain attack targeting npm ecosystem

Details

Note: This report is updated by a verification record

url-encode-decode@1.0.2Malicious

Verified

Analysed at: 11/24/25, 11:25 AM

Source: https://registry.npmjs.org/url-encode-decode/-/url-encode-decode-1.0.2.tgz

SHA256: bd39d673d7dd4292c5c00f99d10e4e5ad61914981e2c75cf496c4482376d15d3

Confidence: High