MAL-2026-3153

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/apple-infra-final-escape/MAL-2026-3153.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-3153
Published
2026-04-29T08:00:00Z
Modified
2026-04-30T23:07:52.583172Z
Summary
Malicious code in apple-infra-final-escape (npm)
Details

Malicious npm package published by threat actor "raya4321" as part of a coordinated typosquatting campaign impersonating Apple internal infrastructure services (authentication, PKI, telemetry, CloudKit, and cloud infrastructure). All packages in this campaign execute credential-theft payloads during npm installation via preinstall or postinstall lifecycle hooks.

Trigger: preinstall. Functions as a second-stage payload loader: executes /tmp/finalsweep.sh if present, enabling execution of payloads dropped by coordinated packages in the same campaign. The package also bundles pwn.sh, which hunts for npm/GitHub authentication tokens (NPMTOKEN, NODEAUTHTOKEN, GITHUBTOKEN, NPMAUTH_TOKEN) in the environment and ~/.npmrc, then uses any found token to publish a trojanized version of apple-app-store-server-library to the npm registry (supply chain attack), and exfiltrates results to https://webhook.site/85f78e76-dc73-4cb5-a65c-27f2c10db591.

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (5f85575cbff2874c8b46829da379d736724e41f98a200b345e0c341e6f9d1a36)

The package apple-infra-final-escape was found to contain malicious code.

Database specific 
{
    "malicious-packages-origins": [
        {
            "import_time": "2026-04-30T22:23:14.098226115Z",
            "sha256": "5f85575cbff2874c8b46829da379d736724e41f98a200b345e0c341e6f9d1a36",
            "source": "amazon-inspector",
            "modified_time": "2026-04-30T21:59:18Z",
            "versions": [
                "1.7.0"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / apple-infra-final-escape

Package

Name
apple-infra-final-escape
View open source insights on deps.dev
Purl
pkg:npm/apple-infra-final-escape

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.7.0

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/apple-infra-final-escape/MAL-2026-3153.json"
cwes 
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]