MAL-2026-4384

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@dreamlake/lakeshore/MAL-2026-4384.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4384

Withdrawn

2026-05-26T17:59:39Z

Published

2026-05-23T17:57:32Z

Modified

2026-05-27T00:31:54.717370444Z

Summary

Malicious code in @dreamlake/lakeshore (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8ef6f14503697000ebd139364326d859a625a27a669e6f53b3e7a9388c3b0b25)

On install, dist/cli/daemon/install.js fetches content from https://pub-c0109e197b4a4d1abe5884ac4dd3a023.r2.dev — an anonymous Cloudflare R2 bucket — and posts to remote endpoints. Anonymous R2 buckets (pub-*.r2.dev) are documented payload-distribution infrastructure used by recent npm dropper campaigns: the bucket owner can rotate the served bytes at any time without changing the package, and there is no publisher-matching, no version pinning, and no integrity check tying the fetched content to this package. The host does not match any documented publisher domain for @dreamlake/lakeshore. This is the malicious-dropper shape — install of the package causes execution of attacker-mutable remote content on the installer's machine.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "8ef6f14503697000ebd139364326d859a625a27a669e6f53b3e7a9388c3b0b25",
            "id": "IN-MAL-2026-004560",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T00:11:57Z",
            "versions": [
                "0.1.17"
            ],
            "import_time": "2026-05-26T05:52:50.585222726Z"
        },
        {
            "sha256": "a722945fb02975cc590fa4f04111019077c605524db3b327e215b1d414b1fc64",
            "id": "IN-MAL-2026-004376",
            "source": "amazon-inspector",
            "modified_time": "2026-05-23T17:57:32Z",
            "versions": [
                "0.1.16"
            ],
            "import_time": "2026-05-26T05:52:28.713382918Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @dreamlake/lakeshore

Package

Name: @dreamlake/lakeshore; View open source insights on deps.dev
Purl: pkg:npm/%40dreamlake%2Flakeshore

Affected ranges

Affected versions

0.*

0.1.16

0.1.17

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@dreamlake/lakeshore/MAL-2026-4384.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "sha256": "9a135b9e89303d943157cc44d10ef9e0df730815639fb3461c7b3663acf5a107",
            "tlsh": "c182f9551473233a16f2a8f9a71fb061ea29901b6708ed20b40ee3551fcd16960efff6",
            "path": "dist/cli/daemon/install.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "lakeshore-0.1.17.tgz",
            "hashes": {
                "sha1": "b46918a7538274a4215233f492458191e45e872e",
                "sha512_sri": "sha512-F35WcXRVY/MYUpfREXeTMYRBuiVpia4BLfb0JaKYyaqzzK7LQW6Y8z8BzAnnaa7xNeeZ7dl576sheLaKEJHjNg=="
            }
        }
    ]
}