MAL-2026-10405

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@torbeck/heap/MAL-2026-10405.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10405
Published
2026-07-13T06:53:07Z
Modified
2026-07-13T07:47:00.903871083Z
Summary
Malicious code in @torbeck/heap (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b8f88862ffacb671bdaed8521274293d5ef20bafee0deb91cc38cd852daa6a7d)

@torbeck/heap impersonates the legitimate @datastructures-js/heap package: README.md line 1 reads # @datastructures-js/heap, package.json sets homepage/repository/bugs to github.com/datastructures-js/heap and author to Eyas Ranjous <eyas-ranjous@gmail.com>, while the npm scope @torbeck is unrelated. The package re-exports the genuine Heap class so consumers get a working API. Appended to src/heap.js after exports.Heap = Heap; (around line 247) is a heavily obfuscated obfuscator.io payload (two rotated string-array RC4-style decoders, ~580 and ~700 entries, with Function.toString anti-tamper traps and console-method override checks). On require('@torbeck/heap') via the package's index.js main entry, the payload derives an AES key by XORing four hardcoded buffers, decrypts a hidden URL, issues an http/https.request to download a binary into os.tmpdir(), writes a PID lock and.meta.json with a sha256, chmods the file to 0755, and spawns it detached via process.execPath or bash -c with stdio:'ignore', windowsHide:true, and unref() — plus a re-exec wrapper that respawns the parent under a sentinel. Platform-specific branches handle win/linux/mac. There is no version pinning or signature check on the downloaded bytes, the URL is concealed by obfuscation, and the dropped binary's purpose is unrelated to a heap data-structure library. This is a typosquat carrying an install/require-time RCE dropper.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "0999453caf66088321ca8bf3347a0e2c7cc7bc835589da8b6d2c904735d1f4d4",
            "id": "IN-MAL-2026-009839",
            "import_time": "2026-07-13T07:40:12.305478052Z",
            "modified_time": "2026-07-13T06:53:14Z",
            "versions": [
                "4.3.14"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "b8f88862ffacb671bdaed8521274293d5ef20bafee0deb91cc38cd852daa6a7d",
            "id": "IN-MAL-2026-009838",
            "import_time": "2026-07-13T07:40:12.227981856Z",
            "modified_time": "2026-07-13T06:53:07Z",
            "versions": [
                "4.3.11"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "4.3.10"
            ],
            "id": "IN-MAL-2026-009840",
            "import_time": "2026-07-13T07:40:12.39331954Z",
            "modified_time": "2026-07-13T06:53:22Z",
            "sha256": "84b533170c48284483245bcf2eb3e05e1b7721ee4b40bac5328cd1466bd08b18",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @torbeck/heap

Package

Name
@torbeck/heap
View open source insights on deps.dev
Purl
pkg:npm/%40torbeck/heap

Affected ranges

Affected versions

4.*
4.3.10
4.3.11
4.3.14

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "heap-4.3.14.tgz",
            "hashes": {
                "sha512_sri": "sha512-6aw5nM2QQxymgkuqnKmsOItDqthH6G09dExKKLj3Uyhz+Gn1hF2zmI9yYDA+IpNHJRIVbSDM9oaoo8ApKmeZRQ==",
                "sha1": "a0afa5e2b2e6b97ef702903ff4cf3b944db83a37"
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "81a31c857eeb30af525221b3512b6186e85d9c5db24c8508f465ccecff9423ce2a67bc",
            "sha256": "c0ccf76717c4fbb6bad0405fd18d64a662fd1d88a810e9d8e04e0bf4679821a0",
            "path": "src/heap.js"
        },
        {
            "sha256": "97e8bded23a9d0725301d5dd7bc2d442268b6fdfd821b605b413027d93a3e99e",
            "tlsh": "61116aa8e97e8da30ad469d1a46e15517212588b4c48f84df396033c8f4e66f31f8b1e",
            "path": "package.json"
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@torbeck/heap/MAL-2026-10405.json"