MAL-2026-2406
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@ceeferenderer/fe-renderer-sdk/MAL-2026-2406.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-2406
- Published
- 2026-03-24T09:03:41Z
- Modified
- 2026-05-13T20:22:19.978593Z
- Summary
- Malicious code in @ceeferenderer/fe-renderer-sdk (npm)
- Details
-
Multiple evidences suggest malicious intent: code obfuscation, dynamic code execution, process access, install script, and suspicious email.
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (feee20bafab758bb648bbe425a100a13e6d21799552a2b5566fe6029faef6ce4)
Package runs malicious code both at install time (package.json
installscript:node index.js) and at require time (main: index.js). index.js silently requires./lib/coreinside a try/catch. lib/core.js, with the help of two obfuscated helper modules (lib/b02e30.js and lib/6ad264.js), builds the strings 'os', 'dns', and 'oob.sl4x0.xyz' from numeric character-code arrays via String.fromCharCode and loads built-in modules throughmodule.constructor._load(...)to evade static inspection. It then assembles the subdomainceefe.<username>.<hostname>.<cwd_basename>.<unix_timestamp>.oob.sl4x0.xyzand issues adns.resolve4()lookup, exfiltrating the installer's OS username, hostname, and working-directory name to an attacker-controlled domain over DNS. The combination of auto-execution on install and require, character-code obfuscation of both the target domain and built-in module names, DNS (rather than HTTP) as the exfil channel, random-hex-named helper files, and silent try/catch swallowing of errors is an unambiguous credential-reconnaissance beacon. - Database specific
{ "malicious-packages-origins": [ { "import_time": "2026-04-07T14:39:19.852751577Z", "ranges": [ { "events": [ { "introduced": "0" } ], "type": "SEMVER" } ], "sha256": "2a80561f9a54ffd1bb641227597e1f38c12ce2b8a7424d92bdc7d7f30081603c", "source": "amazon-inspector", "modified_time": "2026-04-07T14:24:50Z" }, { "import_time": "2026-05-13T20:10:56.480470138Z", "sha256": "feee20bafab758bb648bbe425a100a13e6d21799552a2b5566fe6029faef6ce4", "id": "IN-MAL-2026-002367", "source": "amazon-inspector", "modified_time": "2026-05-12T19:03:07Z", "versions": [ "99.9.9" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- SafeDep - FINDER
-
Affected packages
npm / @ceeferenderer/fe-renderer-sdk
Package
- Name
- @ceeferenderer/fe-renderer-sdk
- View open source insights on deps.dev
- Purl
- pkg:npm/%40ceeferenderer/fe-renderer-sdk
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Database specific
cwes
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
indicators
{
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-bckRKyZ4wkSujNcOZzwO+nMajqo7Dw6f6WniXDBgE8il8Mq6o7GslYZGo+FthAO+J1rgTYsqYFp/Wl1iSjYJDg==",
"sha1": "43705aac00398492b82319164749ae5e136541c7"
},
"filename": "fe-renderer-sdk-99.9.9.tgz"
}
],
"evidence_files": [
{
"sha256": "d24415d02b2768deed6613ba41e3837825889459718a582d352a0805d40a321c",
"tlsh": "d0f02d69b393c48f97e096d0360a53d18559c3c0e7cf8195fb7c4a87904e7d1ca85a55",
"path": "lib/core.js"
},
{
"sha256": "8fb4af8838b119058f4dabd6102278e56f9707513813d76dd579c6926292362a",
"tlsh": "b2e068073307c94fa2880bfb7d0050a1ba0d8b5ca11dc0d6b528678500af443c0c0272",
"path": "lib/b02e30.js"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@ceeferenderer/fe-renderer-sdk/MAL-2026-2406.json"