MAL-2026-4230
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cryptoco-auth/MAL-2026-4230.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4230
- Published
- 2026-05-21T20:21:43Z
- Modified
- 2026-05-26T06:02:26.197225742Z
- Summary
- Malicious code in cryptoco-auth (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (46f83b7a7a5e28fe4fadbd72b0d38ff322210501ef54807160a13b7d797e6c68)
On require(), index.js opens TCP connections to the cloud link-local metadata address 169.254.169.254 across ports 80, 443, 8080, 3000, 5432, and 6379, writing an HTTP probe on each successful connection. The package advertises itself as a crypto authentication library but contains no authentication code — its only runtime behavior is reconnaissance against the AWS/cloud Instance Metadata Service, a well-known precursor to IMDS credential theft on cloud VMs. The package manifest is minimal (no description, author, or repository), and the IP literal is annotated with an Indonesian-language comment explicitly identifying it as the AWS Metadata IP. The lure-style name combined with reconnaissance behavior and absent legitimate functionality is consistent with a malicious package targeting cloud-hosted installers.
Source: ossf-package-analysis (224727792d7795e1dff1348ad30dad0de77689bf284ac571b7aee280b49b5774)
The OpenSSF Package Analysis project identified 'cryptoco-auth' @ 1.0.6 (npm) as malicious.
It is considered malicious because:
- The package executes one or more commands associated with malicious behavior.
- Database specific
{ "malicious-packages-origins": [ { "import_time": "2026-05-21T22:53:48.526378775Z", "sha256": "224727792d7795e1dff1348ad30dad0de77689bf284ac571b7aee280b49b5774", "source": "ossf-package-analysis", "modified_time": "2026-05-21T21:40:31Z", "versions": [ "1.0.6" ] }, { "import_time": "2026-05-21T22:53:48.416193578Z", "sha256": "8e54c788edf1e2414d974f83e976140d5249c5cc2473c2ed15339c7b030a3d5e", "source": "ossf-package-analysis", "modified_time": "2026-05-21T21:15:38Z", "versions": [ "1.0.3" ] }, { "id": "IN-MAL-2026-004025", "versions": [ "1.0.3" ], "sha256": "701d494408614029714cc75d7b55fc25fd283cde3e67c728a99f98515b2df097", "source": "amazon-inspector", "modified_time": "2026-05-21T20:55:32Z", "import_time": "2026-05-26T05:51:47.565891245Z" }, { "id": "IN-MAL-2026-004041", "import_time": "2026-05-26T05:51:49.533695102Z", "sha256": "b9e90e6575a4d037bcad6cf0de4dd5ce096909402ecf6d56fb693290ab5ff678", "source": "amazon-inspector", "modified_time": "2026-05-21T21:56:40Z", "versions": [ "1.0.8" ] }, { "id": "IN-MAL-2026-004016", "import_time": "2026-05-26T05:51:46.544436411Z", "sha256": "c4eaaae32c756652d1a54fdc6960de4c1b8eb440128ed1a55b7970e50f44b07e", "source": "amazon-inspector", "modified_time": "2026-05-21T20:21:43Z", "versions": [ "1.0.0" ] }, { "id": "IN-MAL-2026-004032", "import_time": "2026-05-26T05:51:48.483585564Z", "sha256": "080d1711ace6d140b06304a1ef00ad0b79a8766248507dde481f77bab18e3394", "source": "amazon-inspector", "modified_time": "2026-05-21T21:07:36Z", "versions": [ "1.0.4" ] }, { "id": "IN-MAL-2026-004017", "versions": [ "1.0.1" ], "sha256": "295fd89295cd5ef408838ff18e43c0f904a99c23bb3a3a83c8af6498fe9702d6", "source": "amazon-inspector", "modified_time": "2026-05-21T20:30:30Z", "import_time": "2026-05-26T05:51:46.637876038Z" }, { "id": "IN-MAL-2026-004036", "import_time": "2026-05-26T05:51:48.916076208Z", "sha256": "46f83b7a7a5e28fe4fadbd72b0d38ff322210501ef54807160a13b7d797e6c68", "source": "amazon-inspector", "modified_time": "2026-05-21T21:42:38Z", "versions": [ "1.0.7" ] }, { "id": "IN-MAL-2026-004035", "versions": [ "1.0.6" ], "sha256": "6f90ded2b67d3d8055dd473d8c7b2e9b23f8466f1df2045ebe2c9c597438a447", "source": "amazon-inspector", "modified_time": "2026-05-21T21:36:52Z", "import_time": "2026-05-26T05:51:48.818786723Z" }, { "id": "IN-MAL-2026-004024", "versions": [ "1.0.2" ], "sha256": "79f6465edc658272b6e1cb444427a312096100bee99022f17b7ec9abfa308d92", "source": "amazon-inspector", "modified_time": "2026-05-21T20:52:30Z", "import_time": "2026-05-26T05:51:47.430489912Z" }, { "id": "IN-MAL-2026-004034", "versions": [ "1.0.5" ], "sha256": "9a686605cb26b04a1ed6ddcb32e18b06772ae353511851d7f5c677d3aa597c7e", "source": "amazon-inspector", "modified_time": "2026-05-21T21:18:32Z", "import_time": "2026-05-26T05:51:48.727144496Z" } ] }- References
-
- https://www.npmjs.com/package/cryptoco-auth/v/1.0.3
- https://www.npmjs.com/package/cryptoco-auth/v/1.0.8
- https://www.npmjs.com/package/cryptoco-auth/v/1.0.0
- https://www.npmjs.com/package/cryptoco-auth/v/1.0.4
- https://www.npmjs.com/package/cryptoco-auth/v/1.0.1
- https://www.npmjs.com/package/cryptoco-auth/v/1.0.7
- https://www.npmjs.com/package/cryptoco-auth/v/1.0.6
- https://www.npmjs.com/package/cryptoco-auth/v/1.0.2
- https://www.npmjs.com/package/cryptoco-auth/v/1.0.5
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / cryptoco-auth
Package
- Name
- cryptoco-auth
- View open source insights on deps.dev
- Purl
- pkg:npm/cryptoco-auth
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
indicators
{
"evidence_files": [
{
"path": "index.js",
"sha256": "8883b689ad5a9726da5a3592717f44ea46b581468c6bff30ce3a934d959a824f",
"tlsh": "19f0d3e1a25413fd5aa39ec03053a2144163e426b507a8e053cc02726fcc52d91779ec"
}
],
"package_integrity": [
{
"filename": "cryptoco-auth-1.0.3.tgz",
"hashes": {
"sha512_sri": "sha512-jZn6Nzqgx+rzlDxiv37JuV6aIDUPJ+0F9GIWCn/fFBE+o8KkkYrRkZup5y7UeADSaHOB6P+14PdBlkVfs8oeWQ==",
"sha1": "cf0cf9275bb86450baba34274304b1c928d5058f"
}
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cryptoco-auth/MAL-2026-4230.json"