MAL-2026-4399

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@kedem/okdb/MAL-2026-4399.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4399

Withdrawn

2026-05-26T18:08:08Z

Published

2026-05-21T11:28:39Z

Modified

2026-05-27T00:31:56.144454270Z

Summary

Malicious code in @kedem/okdb (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (cfce9a94c70e54caff77645f380418abda1bb1a38ad9cda61f6fbeaa482e2fed)

The package's CLI entry point at bin/okdb.js is a heavily obfuscated single-line bundle (hex-mangled symbols like _0x2a69e2/_0x5d02f6) that constructs HTTP POST requests to a hardcoded host (node-a.example.com) while reading process.env values and invoking 'ping' commands. The combination of (a) hex-obfuscated variable naming consistent with deliberate concealment, (b) a hardcoded remote POST destination embedded directly in the bundle, and (c) process.env reads adjacent to the network call inside the same obfuscated scope is the canonical command-and-control / environment-exfiltration shape. The bin entry runs whenever an installer invokes the CLI, transmitting host and environment data to the attacker-controlled endpoint. A second file okdb.js at the package root contains additional hardcoded POST patterns reinforcing the same network behavior.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-003803",
            "versions": [
                "1.8.3"
            ],
            "sha256": "cfce9a94c70e54caff77645f380418abda1bb1a38ad9cda61f6fbeaa482e2fed",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T11:28:39Z",
            "import_time": "2026-05-26T05:51:20.737243422Z"
        }
    ]
}

References

https://www.npmjs.com/package/@kedem/okdb/v/1.8.3

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @kedem/okdb

Package

Name: @kedem/okdb; View open source insights on deps.dev
Purl: pkg:npm/%40kedem%2Fokdb

Affected ranges

Affected versions

1.*

1.8.3

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "bin/okdb.js",
            "sha256": "addb61d779e54d33c1ec41172a5025bc6f767589787ea91ae933c1feab089ccf",
            "tlsh": "a1e3b5406bc0d66d23ca1ffb3637a4e6c00b1b9e75845b9be184fca454a5213f6ee630"
        },
        {
            "path": "okdb.js",
            "sha256": "b4a2bf71c31266a22556da7e2d4a29f3e8c7db815a0f0d5976309bc24b4182dd",
            "tlsh": "3785d8406bc0956c238b5ffa7707b1d6e85b0c1f75484cabe198bc6861e6603fbe9631"
        },
        {
            "path": "public/sections/embeddings/parts/embed-create-panel.ok.js",
            "sha256": "3dbb8b035b0576091ec0aaf925fd0652def0e45d476ca76a0af154e7afd0b05e",
            "tlsh": "3e33d821f1f499333497dce86ea99a2e3e5ab640e0180454f76c1bf217cec81e527b79"
        },
        {
            "path": "public/sections/embeddings/parts/pipeline-create-panel.ok.js",
            "sha256": "db741005e69ba5f534f4d13343b2ee88a242f53ef40dd5963e60b758b014c597",
            "tlsh": "5343eaa6fad348b706a34ed01ff50baf3e687551844948687e6c0be35786c11f813b7a"
        }
    ],
    "package_integrity": [
        {
            "filename": "okdb-1.8.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-xi0cHUad3dH7GBCh9202hDRTKuhSceK2LWa/ZL7n4R0eHLWPq5p8RYh8tmTpQG5wHezGUKdeWROpAGBF4lVn/w==",
                "sha1": "cf3f8a70cc0d0e7c6f338e07a30692aaed6c820f"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@kedem/okdb/MAL-2026-4399.json"