MAL-2026-3602

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@ml-toolkit-ts/xgboost/MAL-2026-3602.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3602

Published

2026-05-12T05:49:00Z

Modified

2026-05-12T07:07:44.291919Z

Summary

Malicious code in @ml-toolkit-ts/xgboost (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: google-open-source-security (5e1924464368f0c5816ee84e000cc47017f44045140feafbbc9e685d847ed5a5)

This package was compromised as part of the "Mini Shai-Hulud is back" worm by the TeamPCP threat actor.

The package will steal credentials and then propogate it to every package it has access to. The package also attempts to remain persistent.

Database specific

{
    "iocs": {
        "domains": [
            "git-tanstack.com",
            "filev2.getsession.org",
            "api.masscan.cloud",
            "seed1.getsession.org"
        ]
    },
    "malicious-packages-origins": [
        {
            "import_time": "2026-05-12T06:23:00.48559Z",
            "sha256": "5e1924464368f0c5816ee84e000cc47017f44045140feafbbc9e685d847ed5a5",
            "source": "google-open-source-security",
            "modified_time": "2026-05-12T06:19:26Z",
            "versions": [
                "0.10.1"
            ]
        }
    ]
}

References

Affected packages

npm / @ml-toolkit-ts/xgboost

Package

Name: @ml-toolkit-ts/xgboost; View open source insights on deps.dev
Purl: pkg:npm/%40ml-toolkit-ts/xgboost

Affected ranges

Affected versions

1.*

1.0.3

1.0.4

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@ml-toolkit-ts/xgboost/MAL-2026-3602.json"