MAL-2026-3836
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ctf-flare/MAL-2026-3836.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-3836
- Published
- 2026-05-18T11:54:34Z
- Modified
- 2026-05-26T06:02:27.277064157Z
- Summary
- Malicious code in ctf-flare (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (23293f1bc28e465f7ffaf916fd8a6cc3958b873a2b338b81c0bf71bb146d1d36)
package.json declares a postinstall script that runs
node src/install.jsafter building a local binary.src/install.jsis a 175 KB single-line payload obfuscated with aFunction(...)constructor wrapper, LZString-compressed UTF-16 string tables, and per-helper rotated base85 alphabets. Once de-obfuscated, the payload resolves the stringschild_process,node-fetch/fetch,-c,shell,detached,stdio,ignore, performs an outboundfetch(url, {headers:...}), reads the response body, and passes it torequire('child_process').spawn('sh', ['-c', <fetched-body>], {shell, detached, stdio:'ignore'}). This fires unattended onnpm installand runs attacker-controlled shell content with the installer's privileges. The multi-layer obfuscation (Function-constructor + LZString + rotated alphabets + global rebinding through aliased getters such asFTecFy['G9V6x7'] === require) exists solely to hide the fetch-and-exec from scanners and reviewers; legitimate install tooling does not need that. The shippedbin/flarebinary built bymakeis a local CTF-style reverse-engineering challenge (ptrace anti-debug, hardcoded magic constants, XOR-decoded flag string) and is not the installer-harm vector — the dropper insrc/install.jsis. The CTF framing in the README does not neutralize the install-time RCE: any developer runningnpm install ctf-flareexecutes whatever shell text the remote endpoint serves at that moment.Source: ossf-package-analysis (1e0cd8fbb0f9460f4c76a5479edc1354e5cd16fcee1929e83a3c1122ebbd1513)
The OpenSSF Package Analysis project identified 'ctf-flare' @ 1.0.0 (npm) as malicious.
It is considered malicious because:
- The package executes one or more commands associated with malicious behavior.
- Database specific
{ "malicious-packages-origins": [ { "versions": [ "1.0.0" ], "sha256": "1e0cd8fbb0f9460f4c76a5479edc1354e5cd16fcee1929e83a3c1122ebbd1513", "source": "ossf-package-analysis", "modified_time": "2026-05-18T11:54:34Z", "import_time": "2026-05-19T00:55:38.328675287Z" }, { "import_time": "2026-05-19T17:50:38.972849905Z", "sha256": "6d3d33b0a8806af9f1221e16d5c40b2156e9622753b976f62098f282ae64001f", "source": "amazon-inspector", "modified_time": "2026-05-19T16:47:48Z", "versions": [ "1.0.0" ] }, { "id": "IN-MAL-2026-003469", "versions": [ "1.0.0" ], "sha256": "23293f1bc28e465f7ffaf916fd8a6cc3958b873a2b338b81c0bf71bb146d1d36", "source": "amazon-inspector", "modified_time": "2026-05-20T05:18:25Z", "import_time": "2026-05-26T05:50:42.148649481Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / ctf-flare
Package
- Name
- ctf-flare
- View open source insights on deps.dev
- Purl
- pkg:npm/ctf-flare
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "src/install.js",
"sha256": "d32e8f6e1c6541d30167801a040af853d845097df22515e1fc168a4a3d477cc4",
"tlsh": "220453960eb11759b3de4b008e36ed4c10ac673a5f4874ceaff3e5f6a64cd564ae0a01"
},
{
"path": "src/main.c",
"sha256": "857564c9b45635b4c79159cf517d17b23ed6dd13472ac2c1e7b283ce1c50ff35",
"tlsh": "11e163552ea240e319979b7b938b51479318a02733a0fcd1f88fa54c9f83215e3b6ed4"
}
],
"package_integrity": [
{
"filename": "ctf-flare-1.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-XrLqWJBPbk1p6Z+dEQKaa1vscFdajbkZ71sk26URkLrVHg7ZU8d65yEhMw3MhhdIQKqUa12qoy4DjHT8DIwu9w==",
"sha1": "2cddaa74963256ae56d1f7a144c38a5343266fc2"
}
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ctf-flare/MAL-2026-3836.json"