Potential Malware package

[saurabhnemade]

https://tria.ge/250126-dw9h2szncz/
says that this package is downloading malware.

[xaviermonin]

Hello,

Thank you for the information. Which package did you upload to the website?

This package is just a wrapper around the Windows DPAPI.
It is not malware, but unfortunately, some packages use it for malicious purposes (such as exfiltrating browser passwords). I am specifically thinking of valid-ip-ban and valid-ip-scope, which I reported to npmjs.com, but they are taking time to be removed.

The source code is available on this repository and is built and published on npm via a GitHub workflow to ensure that the release matches the source code.
You can easily verify this by checking if the hash generated during the latest workflow is the same as the one for the downloaded package.

For the current version (2.0.1), the workflow link is here.

By running npm pack @primno/dpapi, you can verify that the hash matches.

[saurabhnemade]

Hey @xaviermonin ,
Thanks for confirmation. This was false positive.
Turned out it was flagged by tria.ge for something else.
No need to worry. :)

For your context, the entire thing started with a recruiter sending me an assignment which was stealing crypto information. Upon searching internet I found references to this package which were identified as false positives.
They were spreading by calling some service blastapi to get js code which was getting evaluated on server side that was stealing the credentials.

I can confirm DPAPI is safe. Closing this issue. 👍

Edit:
The code fragments recovered from the said incident & malicious code (very much similar to North Korean APT) from the attack is listed at:
https://gist.github.com/saurabhnemade/cf377389d34e8800b48afd505c7834fe