MAL-2026-2528
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sjs-lint-build1/MAL-2026-2528.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-2528
- Published
- 2026-04-09T14:04:30Z
- Modified
- 2026-04-10T17:35:12.516557Z
- Summary
- Malicious code in sjs-lint-build1 (npm)
- Details
-
sjs-biginteger typosquats big.js on npm. Published April 7, 2026 by throwaway account vanes.s.p.orit.a, the package ships legitimate big.js source and hides its payload in a dependency: sjs-lint-build1. On install, the dependency’s postinstall hook fetches the attacker’s SSH public key from a C2 server, appends it to ~/.ssh/authorized_keys, opens firewall port 22, then collects SSH keys, environment variables, config files (.env, Solana id.json, config.toml), and system fingerprints. It exfiltrates the collected data to two Vercel-hosted C2 domains disguised as Cloudflare services.
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (cba6ed57b1eb82592650453ea703d44d9294be1c1c3316f4562ff4f197e6c0f6)
The package sjs-lint-build1 was found to contain malicious code.
- Database specific
{ "malicious-packages-origins": [ { "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "sha256": "cba6ed57b1eb82592650453ea703d44d9294be1c1c3316f4562ff4f197e6c0f6", "source": "amazon-inspector", "modified_time": "2026-04-10T17:02:58Z", "import_time": "2026-04-10T17:21:49.017936724Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- SafeDep - FINDER
-
Affected packages
npm / sjs-lint-build1
Package
- Name
- sjs-lint-build1
- View open source insights on deps.dev
- Purl
- pkg:npm/sjs-lint-build1