This analysis was performed using vet and SafeDep Cloud Malicious Package Analysis. Integrate with GitHub using vet-action GitHub Action.
Note: This report is updated by a verification record
The package is marked as malware by OSV: MAL-2025-171 with source: ghsa-malware
-= Per source details. Do not edit below this line.=-
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Note: This report is updated by a verification record
The package chrome-api-utils (version 1.1.0) exhibits strong indicators of malicious behavior based on the collected evidence. While individual pieces of evidence might be considered inconclusive on their own (especially given the noisy nature of YARA rules and the medium confidence levels assigned), the cumulative weight of evidence points towards a high probability of malicious intent.
Here's a breakdown:
Data Exfiltration: Multiple sources, including both YARA and LLM analysis, confirm that the package collects sensitive system information (home directory, hostname, username, DNS servers, potentially /etc/passwd and /etc/hosts) and uploads it to a hardcoded, suspicious domain (67bkwcqpeiguc9pdoinaj8c1hsnkbazz.oastify.com). This behavior is unequivocally malicious, as it violates user privacy and potentially exposes sensitive data to unauthorized access.
Hardcoded C&C Server: The use of a hardcoded domain for communication is a classic malware characteristic. It establishes a direct communication channel with a command-and-control (C&C) server, allowing the attacker to remotely control and update the malicious code.
Suspicious preinstall Script: The package.json file contains a preinstall script that executes node index.js. This allows malicious code to run before the package's dependencies are installed, making it extremely difficult for the user to detect or prevent the malicious activity. This is a highly effective technique for malware distribution.
Lack of Transparency and Project Information: The absence of readily available source project information (Evidence 8) raises significant red flags. This lack of transparency makes it difficult to verify the package's legitimacy and increases the suspicion of malicious intent. The limited number of published versions (Evidence 9) further supports this suspicion.
Multiple YARA Rule Matches: While YARA rules are noisy, the fact that multiple rules related to phone-home functionality, data exfiltration, and interaction with suspicious domains triggered positive matches strengthens the overall case for malicious behavior. The consistent pattern across multiple YARA rules corroborates the findings of the LLM analysis.
In summary, the combination of data exfiltration, a hardcoded C&C server, a suspicious preinstall script, and a lack of transparency strongly suggests that chrome-api-utils (1.1.0) is malicious. The consistency across multiple analysis methods further reinforces this conclusion. The medium confidence levels assigned to individual pieces of evidence are mitigated by the sheer number of independent indicators pointing towards malicious activity.