MAL-2026-3666

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/01-0redi7qgbz0uv/MAL-2026-3666.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3666

Published

2026-05-12T07:44:18Z

Modified

2026-05-13T20:23:10.838933Z

Summary

Malicious code in 01-0redi7qgbz0uv (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (5ceb633970757ab5d5ee0b64512c18d46be8402ac2169769101655a697ee5d6d)

the analysis found that this package has a garbage randomized name ('01-0redi7qgbz0uv'), empty description, placeholder test script, and an index.js that is not valid JavaScript confirms hyphenated/numeric-leading identifiers that cannot be parsed). It has no functional code whatsoever. Its sole observable effect is to pin 40+ obscure wallet/crypto/trading-themed dependencies at 'latest' (walletgeninjsio, transferbwallets, balancetracking, arbitexchange, cryptoperfume, -rypto-ompareinfo, etc.). This matches the meta-package dependency-delivery pattern: the package itself contains no payload, but installing it forces installation of an arbitrary batch of attacker-controlled packages at whatever the latest version happens to be. Under the generic-placeholder-metadata-plus-network calibration (placeholder metadata + indirect supply-chain reach), combined with (a) non-functional entrypoint, (b) randomized name indicating no intended human consumer, and (c) crypto-themed transitive targets at floating 'latest' ranges, there is no legitimate use case for this package.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-002418",
            "import_time": "2026-05-13T20:10:56.789264488Z",
            "sha256": "5ceb633970757ab5d5ee0b64512c18d46be8402ac2169769101655a697ee5d6d",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "1.0.0"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/01-0redi7qgbz0uv/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / 01-0redi7qgbz0uv

Package

Name: 01-0redi7qgbz0uv; View open source insights on deps.dev
Purl: pkg:npm/01-0redi7qgbz0uv

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "d99a7eeb310a2d5e976508013122fbf0610c3070323e97f026f3d1d46c3b109b",
            "tlsh": "3c21a538cba35c2b6488336598a65353fb54c5174e00781ab786519c9fde06b2cbd31e"
        },
        {
            "path": "index.js",
            "sha256": "74029fd758da333c05dbc9a577e4ecdddac69e5152f8a79474712b076502d207",
            "tlsh": "7a3174e023d9f079b9f152c5f9f1926725a7d325b203daa2c69940e305c30c56f97db8"
        }
    ],
    "package_integrity": [
        {
            "filename": "01-0redi7qgbz0uv-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-0Z+XGoE89kpGCOwHoHY70hqrxdmHbwlodTdGDdECUOH6RrwJXpK0S0kYuGryH3YRM6ReBucFmFMURNBoN9dc8w==",
                "sha1": "c2c18ee8c808b9f4ddb8b6e8876d06c06804ce3c"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/01-0redi7qgbz0uv/MAL-2026-3666.json"