Embedded Malicious Code Affecting mgc package, versions =1.2.1=1.2.2=1.2.3=1.2.4
Threat Intelligence
Snyk has reported that there have been attempts or successful attacks targeting this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-MGC-15876797
- published3 Apr 2026
- disclosed3 Apr 2026
- creditUnknown
Introduced: 3 Apr 2026
New Malicious CVE NOT AVAILABLE CWE-506 (opens in a new tab)How to fix?
Avoid using all malicious instances of the mgc package.
Overview
mgc is a Module Generate Cli
Affected versions of this package are vulnerable to Embedded Malicious Code. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and the author of this package.
RAT Behavior
The package executes an obfuscated postinstall script setup.js that establishes communication with an external command-and-control server (sfrclak.com:8000). The RAT checks the operating system and drops platform-specific payloads:
- macOS: Drops a binary to /Library/Caches/com.apple.act.mond.
- Windows: Drops a persistent executable to %PROGRAMDATA%\wt.exe and runs a PowerShell script.
- Linux: Executes a Python script saved to /tmp/ld.py.
After execution, the malware deletes its setup.js script and replaces its own package.json with a clean stub to actively conceal evidence of the attack from post-infection inspection.
If you find any of these persistent files or the node_modules/plain-crypto-js directory, you have been compromised and should no longer trust the system to be safe.