Note: This report is updated by a verification record
Full C2 implant disguised as vue-template-compiler fork. postinstall-run.cjs loads tooling-bootstrap.cjs which contains base64-encoded C2 agent. Decoded payload: registers victim (hostname, username, OS) to Cloudflare tunnel C2 at maiden-apply-looks-education.trycloudflare.com, beacons for tasks, reports results, uploads files. Persists agent ID in ~/.gradle-cache/.aid. Has C2_TLS_INSECURE env var bypass. Package mirrors vue-template-compiler version 2.7.16 and claims to be an "API-compatible fork with postinstall hooks" — social engineering for npm override/alias substitution.
The package is marked as malware by OSV: MAL-2026-3777 with source: amazon-inspector
Note: This report is updated by a verification record
