MAL-2026-4243
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ganache-cli-provider/MAL-2026-4243.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4243
- Aliases
-
- GHSA-hfp4-5fx7-5mwm
- Published
- 2026-05-20T00:21:32Z
- Modified
- 2026-05-26T06:02:34.518529462Z
- Summary
- Malicious code in ganache-cli-provider (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (144bbaf975156b3114f5526a7e9a8ffbe8eb411a541c7e457b7bf444200a02c5)
Package name impersonates the widely-used ganache-cli Ethereum development tool but ships only a 138-byte index.js stub that wraps ethers.getDefaultProvider — none of the advertised Ganache functionality is implemented. The package's only real behavior is a postinstall hook in package.json that runs an inline
node -escript issuing an HTTPS GET torqnyz-2605-7280-7--2000-c51.run.pinggy-free.link/npm/-/binary/telemetry. Pinggy free-tunnel hostnames are user-created ephemeral tunnels (operator-controlled endpoints), and the URL path is crafted to mimic npm registry telemetry. The fetch reveals the installer's IP and User-Agent to the operator and confirms successful execution on the host; errors are silently swallowed via try/catch. The combination of typosquat name, sham implementation, and install-time beacon to an anonymous tunnel matches the name-squat dropper / install-time reconnaissance pattern.Source: ghsa-malware (9c84ea63480d182abd75e9f993c83905bbc216a0b0d662ad049da1241548b598)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
- Database specific
{ "malicious-packages-origins": [ { "import_time": "2026-05-22T03:24:54.63897482Z", "sha256": "9c84ea63480d182abd75e9f993c83905bbc216a0b0d662ad049da1241548b598", "source": "ghsa-malware", "id": "GHSA-hfp4-5fx7-5mwm", "modified_time": "2026-05-22T02:43:00Z", "ranges": [ { "events": [ { "introduced": "0" } ], "type": "SEMVER" } ] }, { "import_time": "2026-05-26T05:50:24.468087956Z", "versions": [ "1.7.51" ], "sha256": "144bbaf975156b3114f5526a7e9a8ffbe8eb411a541c7e457b7bf444200a02c5", "source": "amazon-inspector", "modified_time": "2026-05-20T00:21:32Z", "id": "IN-MAL-2026-003314" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / ganache-cli-provider
Package
- Name
- ganache-cli-provider
- View open source insights on deps.dev
- Purl
- pkg:npm/ganache-cli-provider
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Database specific
indicators
{
"evidence_files": [
{
"tlsh": "00f0a274e6384c7328d4196a1c6d2081e136cc0b8840fc08779b811dc35f67745fe149",
"sha256": "77ad81de8b2a4acbcf42fe0863b00434f3e444f0a427855fbaa96551c28b87ed",
"path": "package.json"
},
{
"tlsh": "eac02bd870ff9151929ec800640588f0a0c1cd2b4044421335154cbfd8fbc4804217e8",
"sha256": "35830ffc8658fa24a37587dbff2fb0ea6267b8cdbf3bde987742bdfb063894c7",
"path": "index.js"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-RXUZqYuRLwF+mK5zQZjt384uyOZ6I4gr60mX0tj6loFv3VOugmRRWsWPsW/ccg1zuBw5HYDpGeSeYDIcA1wNtw==",
"sha1": "540144d1c4ea7b3d9fb158c73dfadf35ee17dd02"
},
"filename": "ganache-cli-provider-1.7.51.tgz"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ganache-cli-provider/MAL-2026-4243.json"
cwes
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]