Disclaimer: All research and opinions expressed here are my own and are independent of any employer or organisation.

webp-https-errors critical by Paul Newton

webp-https-errors - Dependency Chain Lure for prettier-lint-lenz Dropper

webp-https-errors is a lure package presenting as a legitimate HTTP error utility. Its src/index.js exports a functional HttpError class and passes casual code review. The malice is entirely in the dependency tree: prettier-lint-lenz is declared as a runtime dependency and is a variant of the prettier-lint dropper family, delivering the same C2 beacon and LOCALAPPDATA payload staging on install. Victims install a working utility and receive a malicious transitive dependency they are unlikely to inspect.

Package

Name

webp-https-errors

Version

4.7.2

View on NPM

Threat Actor

Unknown

Tags

#npm #supply-chain #dependency-confusion #lure-package #payload-dropper #c2-beacon #windows

Clean Lure — Functional Decoy Code

src/index.js exports a fully functional HTTP error factory: an HttpError class and convenience wrappers for common status codes (400, 401, 403, 404, 409, 500). The code is well-structured, JSDoc-annotated, and indistinguishable from a legitimate utility. Version 4.7.2 implies maturity. This is deliberate — the package is designed to survive a code review of the direct dependency.

src/index.js — legitimate decoy

export class HttpError extends Error {
  constructor(status, message, details) {
    super(message);
    this.name = "HttpError";
    this.status = status;
    this.details = details;
  }
}
export const badRequest   = (m, d) => new HttpError(400, m, d);
export const unauthorized = (m, d) => new HttpError(401, m, d);
export const notFound     = (m, d) => new HttpError(404, m, d);
export const internal     = (m, d) => new HttpError(500, m, d);

Malicious Dependency — prettier-lint-lenz

package.json declares prettier-lint-lenz as a runtime dependency. This package is a variant of the prettier-lint dropper (see separate writeup) and executes the same install-time beacon and payload drop chain on any npm install that resolves webp-https-errors. The victim's exposure surface is the transitive dependency — a directory they are statistically unlikely to audit. The files field also includes a directory named web-http-errors (distinct from the package name), which may represent a secondary payload staging artifact or repackaging artefact.

package.json — malicious dependency

{
  "name": "webp-https-errors",
  "version": "4.7.2",
  "dependencies": {
    "prettier-lint-lenz": "^2.6.4"
  },
  "files": [
    "src/index.js",
    "web-http-errors"
  ]
}

Campaign Attribution

The prettier-lint-lenz dependency links this package to the same actor responsible for prettier-lint. The two-tier structure — clean lure package plus malicious dropper dependency — is a deliberate evasion pattern designed to separate the code-reviewed surface from the execution surface. Operators producing multiple lure packages pointing to variants of the same dropper family can rotate lure package names while reusing core payload infrastructure.

Indicators of Compromise

Malicious Packages

Package Version Author Notes
webp-https-errors 4.7.2 Lure package; clean code; malice entirely via transitive dependency
prettier-lint-lenz ^2.6.4 Dropper dependency; variant of prettier-lint family; executes on install

URLs

URL Context
hxxp://204.10.194.64:5000/api/nonce C2 beacon inherited from prettier-lint-lenz dropper

Targeted File Paths

Path Context
%LOCALAPPDATA%\prettier-lint\ctll.mjs Second-stage payload dropped by prettier-lint-lenz
web-http-errors/ Unexplained bundled directory; possible secondary staging artifact
Back to Malicious NPM