MAL-2026-10623

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/http-ws-listener/MAL-2026-10623.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10623
Published
2026-07-14T20:29:55Z
Modified
2026-07-14T21:04:40.795395699Z
Summary
Malicious code in http-ws-listener (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (2b70acc8a626218c5855ef656a6945f1f2018c0ff62c112d9b31bae5016fae49)

http-ws-listener@1.0.5 ships misc/configFetcher.js, which reconstructs a hidden Pastebin URL and the module names 'net' and 'childprocess' by triple-base64-decoding a Lorem-ipsum string literal and indexing characters through a numeric array. When the package's advertised entrypoint startWebSocketServer() is called, fetchConfig() retrieves colon-separated handles from the paste, dynamically imports the built-in net and childprocess modules, invokes child_process.exec on a second remote-fetched string, opens a TCP socket to a host:port also carried in the paste, and pipes that socket into the child process's stdin, stdout, and stderr. The result is an interactive reverse shell on the machine running the package, driven by content that the paste author can mutate at any time. The obfuscation (triple base64 plus character-index reconstruction) exists to hide the C2 URL and the built-in module names from static inspection.

Database specific
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010564",
            "import_time": "2026-07-14T20:52:50.020277685Z",
            "sha256": "2b70acc8a626218c5855ef656a6945f1f2018c0ff62c112d9b31bae5016fae49",
            "versions": [
                "1.0.5"
            ],
            "modified_time": "2026-07-14T20:29:55Z"
        }
    ]
}
References
Credits

Affected packages

npm / http-ws-listener

Package

Affected ranges

Affected versions

1.*
1.0.5

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/http-ws-listener/MAL-2026-10623.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "http-ws-listener-1.0.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-G4ILhI5Ac9v2kMrP1lnfrgu1lWBkHh6cMSy93MdOzi1Uo7sSaFS3fSRQrJEVr90sMk75CmxLFYrvyQjfgzg4zQ==",
                "sha1": "de00a0854ea9791c883cf40b5303b97a4ecbae15"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "misc/configFetcher.js",
            "sha256": "9f815f5c096d28547abcccdc9f8c341a3fbfec4f751b76843a12aeee23fb9a88",
            "tlsh": "a5226d447dfe64b1eb91b246c69bec0931c183863956e4c5fa2c83450fbf905c64b6c7"
        }
    ]
}