MAL-2026-4377

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@ctrl/plex/MAL-2026-4377.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4377

Withdrawn

2026-05-26T17:12:48Z

Published

2026-05-20T19:34:41Z

Modified

2026-05-27T00:31:54.576203984Z

Summary

Malicious code in @ctrl/plex (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (20e1aad15739a79a359d88099a004fa395b66df8845c10823824e848f095c568)

The @ctrl/* npm scope was compromised in the Shai-Hulud supply-chain incident (September 2025). Versions of @ctrl/plex published during and after the compromise window have been observed shipping credential-harvesting payloads that exfiltrate developer secrets (npm tokens, GitHub tokens, cloud credentials, SSH keys) and self-propagate by republishing other packages owned by the same maintainer. @ctrl/plex@6.0.0 falls within the affected version range for this scope. Installing this version is expected to execute attacker-controlled code that harvests installer credentials and attempts further package compromise.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-003603",
            "versions": [
                "6.0.0"
            ],
            "sha256": "20e1aad15739a79a359d88099a004fa395b66df8845c10823824e848f095c568",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T19:34:41Z",
            "import_time": "2026-05-26T05:50:56.773305951Z"
        }
    ]
}

References

https://www.npmjs.com/package/@ctrl/plex/v/6.0.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @ctrl/plex

Package

Name: @ctrl/plex; View open source insights on deps.dev
Purl: pkg:npm/%40ctrl%2Fplex

Affected ranges

Affected versions

6.*

6.0.0

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "plex-6.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-jePuUoidz7OHUOAYSnLBrBNWISj2+dy6t7oIRCVGZbj/rFOgFpic1Nwuks2IPoZ0J6J7kTKR0+yXyRzBLkafuw==",
                "sha1": "8335acc541bae5d1dc6efc400e9a72eb6bfa44ed"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@ctrl/plex/MAL-2026-4377.json"