@petitcode/eb-retrynpm

@petitcode/eb-retry (malicious version 1.3.5, published by [email protected]) is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern <scope>-<6 random chars>@wshu.net, with every scope created on June 4, 2026 in a ~40-minute burst. This package masquerades as a retry wrapper (a decoy copy of the popular retry utility) and ships real, working utility code so it passes a glance, while bundling a much larger malicious payload at lib/warmup.js. package.json declares a postinstall hook ("node lib/warmup.js") that runs the payload automatically on npm install. It is additionally a dual-trigger variant: even if postinstall is skipped with --ignore-scripts, the payload still executes at require-time the first time application code calls retry(). The payload is heavily obfuscated with javascript-obfuscator (hex-named identifiers, a while (!![]) array-rotation IIFE, base64+RC4 string decoding, control-flow flattening, and runtime-decrypted module resolution to stay out of the static module graph). At runtime it is a Chromium browser credential stealer: it reads Chromium Cookies and Login Data and decrypts saved passwords protected by AES-256-GCM (the v10/v11 app-bound key schemes), then exfiltrates them over HTTPS using a spoofed Mozilla/5.0 user agent. Malicious payload lib/warmup.js SHA-256: 32d02f806d58a6670f7cc9b93f1d85b22e0e0f535e1f90a62d86918033896f54.

Package advertises itself as a small retry/exponential-backoff helper (lib/index.js is ~50 lines) but ships a 282KB obfuscator.io-packed lib/warmup.js (and matching lib/warmup.mjs at 250KB) whose runPrepare() is invoked unconditionally on every require('@petitcode/eb-retry'). The same file is self-executing as a standalone script via if (require.main === module) onInstall(); so it also runs during postinstall flows. The packed code contains AES-256-GCM decryption of an embedded encrypted blob (which carries a remote URL), an HTTPS fetch of additional payload bytes, and a child_process.spawn of process.execPath with the original argv — i.e. it re-runs Node against attacker-supplied code. Obfuscator.io packing (1267-element rotated string array, RC4-style decoder, control-flow flattening, self-defending console overrides, debug-protection timer that crashes under devtools/inspector) is used to hide the URL, key derivation, and exec invocation. The package.json points repository, bugs, and homepage URLs at github.com/tim-kos/node-retry — an unrelated legitimate project by Tim Koschützki — while the actual publisher is petitcode <[email protected]>, a deliberate impersonation to lure developers searching for retry utilities. Any installer that runs npm install @petitcode/eb-retry or any code path that requires the package will execute the dropper.