{
  "name": "Artifact scanner detects npm package 'node-fetch-utils' using external dependency resolution with remote tarball dependency from GitHub",
  "slug": "artifact-scanner-detects-npm-package-node-fetch-utils-using-external-dependency-resolution-with-remote-tarball-dependenc",
  "description": "A malicious npm package named 'node-fetch-utils' was discovered masquerading as a legitimate fetch helper utility. The package declares a remote tarball dependency from GitHub that executes upon installation. It runs an obfuscated postinstall script targeting Windows systems, which downloads a bundled Python runtime and drops it as Microsoft\\EdgeBroker\\pythonw.exe for persistence. The dropper then uses this disguised runtime to execute a fileless Python implant decrypted in memory and launched hidden via wscript. The dropper scripts self-delete while the disguised runtime remains active on the compromised system, establishing command and control communications.",
  "published": "2026-06-23T12:11:58.863000+00:00",
  "created_at": "2026-06-23T19:30:03.130000+00:00",
  "modified_at": null,
  "created_at_opencti": "2026-06-23T19:30:03.130000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "dependency confusion",
    "fileless malware",
    "javascript dropper",
    "node-fetch-core",
    "node-fetch-utils",
    "npm",
    "obfuscated script",
    "persistence",
    "python implant",
    "supply chain attack"
  ],
  "tags": [],
  "related_entities": {
    "indicators": [
      {
        "id": "6aa7132e-d012-41cc-bd53-a9c5727dda76",
        "name": "http://node22.lunes.host:3258"
      },
      {
        "id": "7608ad4b-10cd-46b0-9ebd-d97c96d2cee8",
        "name": "4ce45e016a304d813e67b29a08265b2101c2e15a09ace5de6539cad02567affe"
      }
    ],
    "attack_patterns": [
      {
        "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd",
        "name": "T1036.005"
      },
      {
        "id": "eaff4611-3c78-4127-8745-726f77ed68ba",
        "name": "T1070.004"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2",
        "name": "T1059.007"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "1d0d9e67-eb8a-439c-a2c7-cab311bb25c4",
        "name": "T1195.002"
      },
      {
        "id": "9e784d22-5a6c-4da6-968a-5fab2f019efd",
        "name": "T1059.005"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "dea4e00b-6e38-4223-a0f2-8a44e403019b",
        "name": "T1564.003"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "2fca0274-42fc-483e-a1e3-d9c4ba687d2d",
        "name": "T1574.001"
      }
    ],
    "malware": [
      {
        "id": "096a9cdc-9bb4-4cbe-a992-d1404c83bd4e",
        "name": "node-fetch-core"
      },
      {
        "id": "46a3be8c-546b-401f-bf77-c1d58d9f470d",
        "name": "node-fetch-utils"
      }
    ],
    "observables": [
      {
        "id": "c8ae526b-e804-429f-9eee-876608d2a472",
        "name": "http://node22.lunes.host:3258"
      }
    ]
  },
  "external_refs": [
    {
      "id": "4395faf2-5dce-4a12-b1a2-b970a890f5ab",
      "standard_id": "external-reference--b4e5ea30-da9d-5ae4-93f4-4ad3af8a2cb1",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://x.com/nextronresearch/status/2068958596646265033",
      "hash": null,
      "external_id": null,
      "created": "2026-06-23T19:30:01.162Z",
      "modified": "2026-06-23T19:30:01.162Z",
      "createdById": null
    },
    {
      "id": "37f8f393-855c-471f-b31b-ede5b6470ff7",
      "standard_id": "external-reference--cd00a1fa-0c95-5ae3-bd79-1a662d1614dd",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a3a780ee89db8a716522418",
      "hash": null,
      "external_id": "6a3a780ee89db8a716522418",
      "created": "2026-06-23T19:30:01.136Z",
      "modified": "2026-06-23T19:30:01.136Z",
      "createdById": null
    }
  ]
}