@nullzero/urlcatnpm

@nullzero/urlcat (version 1.4.2, published by [email protected]) is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern <scope>-<6 random chars>@wshu.net, with every scope created on June 4, 2026 in a ~40-minute burst. Like the other packages in the campaign, it declares a postinstall hook ("node lib/encoder.js") that runs a bundled payload file automatically on npm install. The campaign payload is a Chromium browser credential stealer that reads Chromium Cookies and Login Data, decrypts saved passwords protected by AES-256-GCM (the v10/v11 app-bound key schemes), and exfiltrates them over HTTPS using a spoofed Mozilla/5.0 user agent, hidden behind javascript-obfuscator obfuscation (hex identifiers, a while (!![]) array-rotation IIFE, base64+RC4 string decoding, control-flow flattening, and runtime-decrypted module resolution). This package was unpublished from npm before the payload could be captured, so its specific payload was not independently verified; it is reported on the basis of its membership in the wshu.net campaign (matching publisher email pattern, scope-creation burst, and postinstall execution pattern).

Package @nullzero/urlcat impersonates the legitimate urlcat URL-builder library — same advertised cat(base, path, params) API, README copied from upstream, and package.json.repository.url points to git+https://github.com/balazsbotond/urlcat.git (the real upstream maintainer's repo, not the nullzero publisher's). The package main lib/index.js line 64 calls encoder.runPrepare() at the top of every invocation of the exported cat() function. lib/encoder.js is a 263 KB obfuscator.io-packed file (rotated 1176-entry string array, RC4 decoder _0x2f0d, control-flow flattening) — far beyond anything a tiny URL composer requires. Decoded control flow in lib/encoder.js selects a platform-specific binary candidate (branches on process.platform === 'win32' to 'win.js' / a bun-style executable, otherwise a node-typed binary), constructs a destination under os.tmpdir(), downloads it over https.request following up to 5 redirects with User-Agent: node-installer, sha256-checks against a .meta JSON sidecar, and then spawns the dropped binary (or re-execs process.execPath against it) detached + unref'd, with a private env-var marker (__7D0A53...). The encoder also installs no-op handlers for uncaughtException, unhandledRejection, and SIGINT to suppress crashes, performs obfuscator.io-style debugger-detection (Function('debugger') regex self-check), and re-spawns the current node when run interactively so the payload runs only in the detached child. A URL-builder library has no legitimate need for a 263 KB obfuscated sibling, a platform-specific binary download, anti-debug guards, or a detached child re-exec. Any consumer who calls cat() triggers arbitrary code execution from an attacker-controlled binary on their machine.