MAL-2026-10738

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mui-option/MAL-2026-10738.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10738
Published
2026-07-16T18:36:24Z
Modified
2026-07-16T19:19:48.580702971Z
Summary
Malicious code in mui-option (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8e1c3ec117eaeedbd4c3f64c2fec97d44e115d400c7e52082b7d6cc28f7c59ec)

The sole shipped file index.js is heavily obfuscated with a base64+RC4 string-array decoder that hides all module names, URLs, and method identifiers. On import (main entrypoint), it requires childprocess, os, fs, path, crypto and https, issues an https.get to a runtime-decoded URL, splits the response on ':' into an IV and ciphertext, derives a key with crypto.scryptSync, decrypts the payload with crypto.createDecipheriv, writes the decrypted bytes to a file under os.tmpdir(), and executes that file via childprocess.exec. The package has no legitimate advertised functionality, its name resembles the MUI ecosystem, and no other code path exists. Any project that requires mui-option triggers execution of attacker-controlled native code on the installer host. The tarball also ships npmrecoverycodes.txt containing five 64-character hex strings matching the format of npm 2FA recovery codes, suggesting a publishing-account compromise.

Database specific
{
    "malicious-packages-origins": [
        {
            "import_time": "2026-07-16T18:54:00.65371986Z",
            "sha256": "8e1c3ec117eaeedbd4c3f64c2fec97d44e115d400c7e52082b7d6cc28f7c59ec",
            "modified_time": "2026-07-16T18:36:24Z",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010713"
        }
    ]
}
References
Credits

Affected packages

npm / mui-option

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "mui-option-1.0.0.tgz",
            "hashes": {
                "sha1": "eac439d266c9365e9dfb62a9c47627a2d3bf8227",
                "sha512_sri": "sha512-B1TDWJLQx59YgsfC3dLm+luiywSZwZuBxmb5Q7crxMokqRxgvc4YVdVoL/BGYoE7plGGMzLJIozrYZ6WBkGbdw=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "92b297c83fc1b0d04627b0fba95b6594e13a6cccb38c9449f7a6f068fd58314e566b68",
            "sha256": "e3e7b2e8b98ba8d52f781c1c1ebc8299bdc85da4fc2e5f50be38685a76d03775",
            "path": "index.js"
        },
        {
            "tlsh": "0ee0c06d98485b120d56daaad5582a031b6507218b7474252cdb85a10252d63db18814",
            "sha256": "b355830a244eff00049a313d6d47abaab1a5e2b418c04c9372a56ef268e4abbe",
            "path": "npm_recovery_codes.txt"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mui-option/MAL-2026-10738.json"