MAL-2026-10502

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/gamified-trading-system/MAL-2026-10502.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10502
Published
2026-07-13T21:34:00Z
Modified
2026-07-13T22:01:56.579140364Z
Summary
Malicious code in gamified-trading-system (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f24facab67c0c7bd4775a6081ee54f4fab3fa7a5dd93b52a87f1111088e5e501)

The package advertises itself as a trading-gamification library (XP, leaderboards, updateProgress/getLeaderboard) but its source contains none of those APIs. The only meaningful exports are setDefaultModule and getPlugin. getPlugin assembles the URL https://svganchordev.net/icons/116 from split string fragments (protocol/domain/separator/path/token), fetches it with a fake bearrtoken: 'logo' header, and passes the response's data.credits field to new Function('require','module','exports',...,'Promise', data.credits) invoked with require, process, Buffer, and other host globals. This is a remote loader: whoever controls the attacker endpoint controls arbitrary code executed in the installer's Node process with full module privileges. A second function setDefaultModule fetches font-awesome SVGs from cdnjs as a decoy to camouflage the active loader. Declared runtime dependencies (@primno/dpapi, better-sqlite3, node-machine-id) line up with Windows DPAPI credential-decryption / machine-fingerprinting payloads commonly delivered by this loader shape. The package also ships an ed25519 OpenSSH private key (gitlab, comment testm@DESKTOP-PO28IS1), corroborating sloppy/hostile provenance.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-13T21:34:08Z",
            "versions": [
                "3.6.2"
            ],
            "sha256": "4fe587022b4c37397e4dc27224cb42d69a60b6b632e22c3c01f62c6e6a95a368",
            "import_time": "2026-07-13T21:49:34.070594773Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010327"
        },
        {
            "modified_time": "2026-07-13T21:34:00Z",
            "versions": [
                "3.1.0"
            ],
            "sha256": "f24facab67c0c7bd4775a6081ee54f4fab3fa7a5dd93b52a87f1111088e5e501",
            "id": "IN-MAL-2026-010326",
            "source": "amazon-inspector",
            "import_time": "2026-07-13T21:49:33.975864137Z"
        }
    ]
}
References
Credits

Affected packages

npm / gamified-trading-system

Package

Name
gamified-trading-system
View open source insights on deps.dev
Purl
pkg:npm/gamified-trading-system

Affected ranges

Affected versions

3.*
3.1.0
3.6.2

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "89c1606546fa31a36a67f4eef30f100271a5e3133759e971f48e42902fca568e5f24e8",
            "sha256": "c320c60283b6622ddd7a4cf0086da6513abd6ed3567a144e538d4eee082a6554",
            "path": "index.js"
        },
        {
            "tlsh": "5bf07815ce20eea329d521566938a057a921dd0b8d00fc0c338e4b9d1f8e06f3afe35c",
            "sha256": "09c9ec61658ed912e6af5cb4aaa938f85222456cd1e68e8c67e3f677f8153237",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "383692d96ba0740f11da05bf0eaed58d44f81730",
                "sha512_sri": "sha512-o93wHpJgcqo7eAAUeS+Eyc2OHV2alD2wsIE/8FxLUvlSlmlXXCy/4U4lltYoDP6OZEamk1fEovWsXRa2wdFjeQ=="
            },
            "filename": "gamified-trading-system-3.6.2.tgz"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/gamified-trading-system/MAL-2026-10502.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]