MAL-2026-10107

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/security-node/MAL-2026-10107.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10107
Published
2026-07-09T23:02:15Z
Modified
2026-07-09T23:47:00.164467039Z
Summary
Malicious code in security-node (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (2450dc325921e41fd15c24339c29dc86bef36424dd6f8447c07cffd219f3955a)

package.json declares the package's own name as both a dependency and devDependency pointing to http://pack.nppacks.com/npm/security-node, a non-npm-registry host served over plaintext HTTP. On npm install, npm fetches whatever tarball that URL currently serves and installs it as nodemodules/security-node, replacing the registry-published contents with code delivered from a mutable third-party host over an unauthenticated channel. This bypasses registry-side scanning and version pinning; the operator of pack.nppacks.com (or any on-path MITM against the plain-HTTP fetch) controls the code that lands in the installer's nodemodules on every install. The shipped index.js itself is a benign Babel DefinePlugin-style transform with a self-declared 'Security Research Testing Purpose' header comment, but the tarball substitution mechanism is the installer-harm surface, independent of the current in-tarball code.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "2450dc325921e41fd15c24339c29dc86bef36424dd6f8447c07cffd219f3955a",
            "id": "IN-MAL-2026-009592",
            "import_time": "2026-07-09T23:30:55.828134674Z",
            "modified_time": "2026-07-09T23:02:15Z",
            "versions": [
                "1.1.4"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / security-node

Package

Affected ranges

Affected versions

1.*
1.1.4

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "cf9d7cd2d611d5095d17e3dfc39d1c0371f0b1fc4398a48780cf2e4d1ae443c0",
            "tlsh": "e4f0fc08ce35e93344c565629937450662349d975c99fe0c37c7061d9fcd56720f459c",
            "path": "package.json"
        },
        {
            "sha256": "f2fcebdb4f0e41365a39ca87a52fcc4e6abd5633fe6272e60d1386d26b90ef41",
            "tlsh": "71a1935ab5e0159745aa22e5b3ce48b577bd80b3330df5a0b54cbf563f40c348a1aed1",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "security-node-1.1.4.tgz",
            "hashes": {
                "sha512_sri": "sha512-1C/3jRlzz/+stUm/0BIw608icP3w/txACn4SI9Hq72RTRKtRs4Kri8IijgMUnClFPye8s5CbDiODhh+yfWCEOw==",
                "sha1": "d1e734f01abe4d19bce47dccdfcde5944cf0b0b7"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/security-node/MAL-2026-10107.json"