New malicious npm package 'ambar-src' targets developers with open source malware
Essential information
- Published
- 27/02/2026 09:18
- Modified
- 27/02/2026 10:01
- Tags
- 2026-02-27 apfell detection evasion linux macos mythicagents npm open-source malware preinstall script reverse_ssh supply-chain windows yandex cloud
- Related entities
- 6 observables, 3 malware, 2 others
Description
A malicious npm package named "ambar-src" reached 50,000 downloads in days before being removed from the registry. It uses a preinstall script to execute malicious code during installation, targeting Windows, Linux, and macOS systems. The package employs detection evasion techniques and deploys powerful open-source malware variants. It abuses npm's preinstall script hook to trigger the payload without explicit invocation. The malware fetches additional payloads from remote servers and uses Yandex Cloud for command and control. Affected systems should be considered fully compromised, requiring immediate incident response actions. The attack highlights the speed at which supply chain risks can propagate and confirms that npm install is a high-risk action.