MAL-2026-4360

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@aledan007/tester/MAL-2026-4360.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4360

Withdrawn

2026-05-26T17:57:12Z

Published

2026-05-20T18:38:50Z

Modified

2026-05-27T00:32:00.995608915Z

Summary

Malicious code in @aledan007/tester (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ab03e3eef2f59f358cdaacedf2d9facb12077110c5402ad36aad6e3581e66439)

The bundled server file dist/server/index.js contains a hardcoded reference to the attacker-controlled domain https://evil.attacker-example.com adjacent to fetch() and POST primitives, alongside require("childprocess") usage. The combination of an explicit external attacker domain wired to outbound POST/fetch calls together with childprocess import is the canonical shape of an installer-side exfiltration / remote command execution payload. The destination is not a vendor/publisher domain and has no legitimate purpose; any installer requiring or running this package risks having host data and command output sent to the attacker endpoint.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-20T18:38:50Z",
            "versions": [
                "0.4.5"
            ],
            "sha256": "ab03e3eef2f59f358cdaacedf2d9facb12077110c5402ad36aad6e3581e66439",
            "id": "IN-MAL-2026-003589",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:55.009427495Z"
        }
    ]
}

References

https://www.npmjs.com/package/@aledan007/tester/v/0.4.5

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @aledan007/tester

Package

Name: @aledan007/tester; View open source insights on deps.dev
Purl: pkg:npm/%40aledan007%2Ftester

Affected ranges

Affected versions

0.*

0.4.5

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "6fe8e9e5e80f11013ed6a6ed6d5e1ba186204038d28f05be27dce81cfe3aff7e",
            "tlsh": "82a3d796689361335e9242b7fbde00517f28d2074325b8fcfced92540f4a49da2b7e94",
            "path": "dist/index.d.ts"
        },
        {
            "sha256": "60db4e41dd65e1d1418fcc24ee49c62bdb3efefc57f177b8f4db64ef92a72b77",
            "tlsh": "85e3e71925f710321623617d6a1ba005b731e9033949ed88bfec93503f8d929dab7bed",
            "path": "dist/server/index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "tester-0.4.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-X5MNBy2hHXngNIwHkVueWo2+oTODC2xq4sfQNuMENS5cbppqt6yEQtVa6WDqON+Ne3Qhfjdjr1+UTlLo8ZaZKA==",
                "sha1": "4be991dfb186b574d0df93d9daf762ab72f9da95"
            }
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@aledan007/tester/MAL-2026-4360.json"