MAL-2026-3673

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/3pool-sushibar/MAL-2026-3673.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3673

Published

2026-05-12T07:42:21Z

Modified

2026-05-13T20:21:39.561171Z

Summary

Malicious code in 3pool-sushibar (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (5112bb2ea3570e56be6525c48ef026624f46dead693e78333696273c911c6c42)

This package is a dependency-chain dropper. package.json declares 15 undocumented dependencies in three numbered families (web3chain02032*, rusttool0701*, btc202523*) pinned to ^1.1.1, none of which appear in the README that describes a standalone Go miner. The bundled tranpack.sh proves the campaign: an infinite loop that rewrites package.json's name from a ~500-word crypto/DeFi wordlist and runs npm publish, and the current name 3pool-sushibar is an output of that generator. The package itself is non-functional — the declared main entry index.js does not exist — confirming that its only purpose is to pull in attacker-controlled siblings. Two undocumented 22MB Windows.exe binaries with mismatched hashes further contradict the README's source-only build story. Running npm install 3pool-sushibar fetches 15 attacker-controlled packages whose code is one hop away from inspection here; this is direct installer harm via namespace-abuse plus typosquat lure.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-12T19:03:07Z",
            "import_time": "2026-05-13T20:10:52.155142725Z",
            "sha256": "5112bb2ea3570e56be6525c48ef026624f46dead693e78333696273c911c6c42",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-002166"
        }
    ]
}

References

https://www.npmjs.com/package/3pool-sushibar/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / 3pool-sushibar

Package

Name: 3pool-sushibar; View open source insights on deps.dev
Purl: pkg:npm/3pool-sushibar

Affected ranges

Affected versions

1.*

1.0.0

Database specific

indicators

{
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-2gWpEcrZ1+7FlPh0r3MN3tz2dKxCjYZatJyM/zcA3PXTDO8+sWlUvT6wi0l3VrKvFsOhF5Ma3Df6po0IhyLuUA==",
                "sha1": "0643af94cdd04282527e983bb73a8201c3195b68"
            },
            "filename": "3pool-sushibar-1.0.0.tgz"
        }
    ],
    "evidence_files": [
        {
            "tlsh": "741103a1cf26cab30e9d25dc855d002df2618a278845f81d37d7564ccb1e6ab71b817d",
            "sha256": "c4378a5c3df23278db5252054add3d6a525f98fd747f5c1ee56a7415c4fd084c",
            "path": "package.json"
        },
        {
            "tlsh": "8ed12f32f6414c3486ea03ee49650956f385c28bc389107cff4bbb8cab6ef5ad956614",
            "sha256": "73def82b6c52b14bd664007f99f7f469efd809fe99bc5297a77d17674e75459d",
            "path": "tranpack.sh"
        },
        {
            "tlsh": "52273a42f65049eacaa98674c9aa4385b770fc405f26a7c72b05f63c3c737d89eb8354",
            "sha256": "3dbe880f08a8c880bdf647e11826acdc58198cd54a55b8c22402118b80c67423",
            "path": "powerc20.exe"
        }
    ]
}

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/3pool-sushibar/MAL-2026-3673.json"