MAL-2026-3775

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tsliverhome/MAL-2026-3775.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3775

Published

2026-05-14T19:25:45Z

Modified

2026-05-15T07:51:35.760415Z

Summary

Malicious code in tsliverhome (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0855b4d02a0d276e8a6cf97b7c62d457b8ef4d851e243d758c2308d451e0876e)

Package name 'tsliverhome' impersonates the widely-used 'tslib' package (~300M weekly downloads). The shipped README.md is a verbatim copy of Microsoft/tslib's README (titled '# tsliv', describing the TypeScript --importHelpers runtime library), designed to reassure a developer who mistyped the name. The actual code in index.js has no relation to tslib: the exported getPlugin() function issues an HTTP GET to https://verceljs-kappa.vercel.app/icons/23, JSON.parses the response body, and passes it directly to eval(). The destination is a generic Vercel preview-style host not tied to any declared publisher, is not version-pinned, and the fetched bytes are not hash- or signature-verified. Any consumer who imports this package and calls getPlugin() will execute arbitrary JavaScript under the control of whoever operates verceljs-kappa.vercel.app. Supporting signals: package.json ships placeholder metadata (empty description, empty author, no repository, no homepage), consistent with throwaway-publisher typosquat packages. The combination of (a) name-confusion with a top-tier target, (b) README impersonation of that target, and (c) a remote-fetch-and-eval payload in the exported API constitutes a deliberate supply-chain attack against developers who mistype 'tslib'.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-002751",
            "import_time": "2026-05-15T07:37:18.889046706Z",
            "sha256": "0855b4d02a0d276e8a6cf97b7c62d457b8ef4d851e243d758c2308d451e0876e",
            "source": "amazon-inspector",
            "modified_time": "2026-05-14T19:25:45Z",
            "versions": [
                "1.0.0"
            ]
        },
        {
            "id": "IN-MAL-2026-002752",
            "import_time": "2026-05-15T07:37:18.992673854Z",
            "sha256": "5c4db6a48fc6f6bbda3c925104e3e6acd47c5d21462bbef4788fc4398b75d6ef",
            "source": "amazon-inspector",
            "modified_time": "2026-05-14T19:25:45Z",
            "versions": [
                "1.1.3"
            ]
        },
        {
            "id": "IN-MAL-2026-002753",
            "import_time": "2026-05-15T07:37:19.031866925Z",
            "sha256": "a864c875216fe3cb9b5f1c2bd83f8145cba56f4c5fe7b16ede8296984743f5e7",
            "source": "amazon-inspector",
            "modified_time": "2026-05-14T19:25:46Z",
            "versions": [
                "1.1.4"
            ]
        },
        {
            "id": "IN-MAL-2026-002754",
            "import_time": "2026-05-15T07:37:19.068122454Z",
            "sha256": "b67461921c7e465510602304d712f8caa79c28204ffb7861c3b0feb264ca8476",
            "source": "amazon-inspector",
            "modified_time": "2026-05-14T19:25:46Z",
            "versions": [
                "1.1.5"
            ]
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / tsliverhome

Package

Name: tsliverhome; View open source insights on deps.dev
Purl: pkg:npm/tsliverhome

Affected ranges

Affected versions

1.*

1.0.0

1.1.3

1.1.4

1.1.5

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "README.md",
            "sha256": "53d1dd98792e6d019dfc401ab0e7350892c0408e6821d9fdea7974ab05872bee",
            "tlsh": "05811e8e6e47dabd9ab165577e3bd40cf628e00f2f648841782c59394733e89022e719"
        },
        {
            "path": "index.js",
            "sha256": "e300425a83e4f465a990399e5f2cae4549b51660d0df9394ec4650a381a53fcf",
            "tlsh": "1a5144921c9021235672efe45607c524f625f22a325282b2b9afc5c02fb7a94a693ccc"
        },
        {
            "path": "package.json",
            "sha256": "8590bb596adc06fdb244bc908020dfb6f7feb9480ab4f76a23a164371ad13083",
            "tlsh": "7ce02024cd20992308c961925c7d5087a660ee1f0804fc0d93db196c8bce57718fd35d"
        }
    ],
    "package_integrity": [
        {
            "filename": "tsliverhome-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-6rXjAfs5RisJsxUcSxLOYWCk9Jvqd1zly8VGVcGoyfiRG1OBwpUAlti+VFMGWU0K6lXxfJaPsFoUsH6bBvSEYg==",
                "sha1": "dc752fc0466fba8066f5358150009e4c85c46a8d"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tsliverhome/MAL-2026-3775.json"