MAL-2026-3717

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/truffle-js/MAL-2026-3717.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3717

Published

2026-05-13T12:10:40Z

Modified

2026-05-15T07:51:34.946644Z

Summary

Malicious code in truffle-js (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (52bd5b41de871fbbc8c5895f63dfec08ba2ff6ecb9ea03fa6fdb5d9245c74616)

The package.json lifecycle script invokes require('childprocess').execSync with a curl command at install time. Running curl through childprocess during an npm install lifecycle hook causes any installer to execute remote content fetched over the network, without consent, as soon as npm install runs. The package name also resembles the widely-used 'truffle' Ethereum development toolkit, consistent with a typosquat lure. There is no legitimate reason for a small utility package to shell out to curl from its package.json install hook.

Source: ossf-package-analysis (c190460255cf713f1797bacece635079c6d3db6a45a58199af29ab1acc9faa2f)

The OpenSSF Package Analysis project identified 'truffle-js' @ 2.0.0 (npm) as malicious.

It is considered malicious because:

The package executes one or more commands associated with malicious behavior.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-05-13T21:58:23.402650301Z",
            "sha256": "c190460255cf713f1797bacece635079c6d3db6a45a58199af29ab1acc9faa2f",
            "source": "ossf-package-analysis",
            "modified_time": "2026-05-13T12:10:40Z",
            "versions": [
                "2.0.0"
            ]
        },
        {
            "id": "IN-MAL-2026-002697",
            "import_time": "2026-05-15T07:37:17.1304792Z",
            "sha256": "52bd5b41de871fbbc8c5895f63dfec08ba2ff6ecb9ea03fa6fdb5d9245c74616",
            "source": "amazon-inspector",
            "modified_time": "2026-05-14T19:25:11Z",
            "versions": [
                "1.0.0"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/truffle-js/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com
- OpenSSF: Package Analysis - FINDER
- - https://github.com/ossf/package-analysis
  - https://openssf.slack.com/channels/package_analysis

Affected packages

npm / truffle-js

Package

Name: truffle-js; View open source insights on deps.dev
Purl: pkg:npm/truffle-js

Affected ranges

Affected versions

1.*

1.0.0

2.*

2.0.0

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "7744b7d6043dca4f06bedcfd7f313659f70789148878128668a7847c44d97f7a",
            "tlsh": "34f09e14ef1015b314c15e560e175dce5177892740547c64a25f911c839c7fb28ff51a"
        }
    ],
    "package_integrity": [
        {
            "filename": "truffle-js-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-CdgVp4qkSZog1dpdY5FedOYEvppGwsIeJVdTpQGTVWKq87lFLYp7POTSCy2CpTImIByMmujBRhMQw4Wd7q1/DQ==",
                "sha1": "57e6d2e75c1ee988439119fab5d3180c1e22b434"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/truffle-js/MAL-2026-3717.json"