Malicious Package Affecting staticlayer package, versions *


Severity

Recommended
0.0
critical
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Attacked

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-STATICLAYER-17391464
  • published21 Jun 2026
  • disclosed16 Jun 2026
  • creditSafeDep Team

Introduced: 16 Jun 2026

New Malicious CVE NOT AVAILABLE CWE-506  (opens in a new tab)

How to fix?

Avoid using all malicious instances of the staticlayer package.

Overview

staticlayer is a malicious package. This package is part of a coordinated malicious campaign that conceals a Windows binary dropper. While the package itself might not contain standalone malicious logic and masquerades as a benign micro-utility, it is part of a broader attack and should not be installed. A malicious actor split the execution logic across different npm packages, allowing the attacker to evade per-package reviews and secretly execute a weaponized payload only when the packages are wired together.

Malicious Behavior

According to the security analysis, the obfuscated payload is designed to establish communications with an external anonymous server to download and run a malicious executable. The dropper strips "Mark-of-the-Web" warnings to suppress Microsoft SmartScreen prompts and runs completely hidden from the user. It will persist on the system by generating an executable that imitates a legitimate updater (e.g., msedge_update_*.exe, chrome_installer_*.exe, dotnet_host_*.exe) and placing it in paths such as %LOCALAPPDATA%\Temp, %TEMP%, or %TMP%.

Notes:

  • This attack is strictly targeted at Windows systems; the malicious script checks the operating system and immediately exits on any other platform.
  • The dropper is highly resilient, utilizing three independent download methods (Node.js https, curl.exe, and bitsadmin) and three execution methods to ensure it deploys successfully even on partially hardened systems.
  • The C2 URLs and strings are heavily obfuscated using single-byte XOR decoding, using one of the helper package's own names as the decryption key.

References

CVSS Base Scores

version 4.0
version 3.1