MAL-2026-3606

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ml-toolkit-ts/MAL-2026-3606.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3606

Published

2026-05-12T05:49:00Z

Modified

2026-05-12T07:12:56.633020Z

Summary

Malicious code in ml-toolkit-ts (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: google-open-source-security (5e1924464368f0c5816ee84e000cc47017f44045140feafbbc9e685d847ed5a5)

This package was compromised as part of the "Mini Shai-Hulud is back" worm by the TeamPCP threat actor.

The package will steal credentials and then propogate it to every package it has access to. The package also attempts to remain persistent.

Database specific

{
    "iocs": {
        "domains": [
            "git-tanstack.com",
            "filev2.getsession.org",
            "api.masscan.cloud",
            "seed1.getsession.org"
        ]
    },
    "malicious-packages-origins": [
        {
            "import_time": "2026-05-12T06:23:00.48559Z",
            "sha256": "5e1924464368f0c5816ee84e000cc47017f44045140feafbbc9e685d847ed5a5",
            "source": "google-open-source-security",
            "modified_time": "2026-05-12T06:19:26Z",
            "versions": [
                "0.10.1"
            ]
        }
    ]
}

References

Affected packages

npm / ml-toolkit-ts

Package

Name: ml-toolkit-ts; View open source insights on deps.dev
Purl: pkg:npm/ml-toolkit-ts

Affected ranges

Affected versions

1.*

1.0.4

1.0.5

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ml-toolkit-ts/MAL-2026-3606.json"