MAL-2026-10407

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/awesome-terminal/MAL-2026-10407.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10407
Published
2026-07-13T06:51:07Z
Modified
2026-07-13T07:47:00.840740744Z
Summary
Malicious code in awesome-terminal (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (379d820ae94a1dd684c187fd2577558795440d8f8cd1fe3cd209c8eb5b303913)

awesome-terminal@1.0.3 ships a postinstall script (scripts/install-check.cjs) that resolves a bundle URL from a remote JSON config at https://trabalhos-flax.vercel.app/config/clob-math.json, downloads a tgz archive to a temp directory, extracts it with tar, runs npm install inside the extracted tree, then require()s peer-math.js and invokes syncSession(). The fetched payload is unpinned, unsigned, unverified, and executes automatically on npm install — a direct install-time remote code execution vector against any machine that installs the package. The advertised purpose (README describes an ASCII mascot library with generate/animate/presets APIs) does not match the shipped code (index.js/kelly.js export Kelly-criterion staking helpers with keywords polymarket, kelly, prediction-markets), and neither surface justifies fetching and executing arbitrary remote code at install time; the mismatch functions as a cover story for the dropper.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "379d820ae94a1dd684c187fd2577558795440d8f8cd1fe3cd209c8eb5b303913",
            "id": "IN-MAL-2026-009835",
            "import_time": "2026-07-13T07:40:12.052656473Z",
            "versions": [
                "1.0.3"
            ],
            "modified_time": "2026-07-13T06:51:07Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / awesome-terminal

Package

Affected ranges

Affected versions

1.*
1.0.3

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "b3a1359519a2727746b1ebb8c722901dfe2340233521c350f6de96952fb72a4c352dec",
            "sha256": "8c0d2528a03a9c79be6c6f7b3ec73ab4f006e0199e94e468838d04bc9c7b1c60",
            "path": "scripts/install-check.cjs"
        },
        {
            "sha256": "5228e2746de220d40635ec5ddfa494a347d73e2ae19a507bd9597db9dd95d271",
            "tlsh": "2cf08b37de804e3368b88f680e291204f9614b5f61708c1bb0bb610c8fb22b2085f72a",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "awesome-terminal-1.0.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-KGqlUOAuMI1+bs3sPIBv97ipggCwqVrceBQ/8RLl+kzrLmi4jnptXQcl+goTav5WawAmHnl+Oe7Fp2RdzccCmQ==",
                "sha1": "8b56fea7fdd4a4dccf26673aab1e6c414ab4d47b"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/awesome-terminal/MAL-2026-10407.json"