MAL-2026-4401

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@kruzer/lib-ui/MAL-2026-4401.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4401

Withdrawn

2026-05-26T21:41:23Z

Published

2026-05-21T00:15:29Z

Modified

2026-05-27T00:31:56.193041379Z

Summary

Malicious code in @kruzer/lib-ui (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c1bb1f66615de2b0b161721218d2bff4bb0e7100b5cb28b764fcc2e6f1ee671f)

The published tarball's package.json contains a hardcoded npm registry auth token embedded in the build:publish script: npm publish --tag alpha --//registry.npmjs.org/:_authToken=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. The token is delivered to every installer of this package and grants publish privileges to the author's @kruzer/* npm scope. Anyone who installs or inspects this package can use the token to publish arbitrary (potentially malicious) versions of any package under @kruzer, which would then be pulled into all downstream installers of those packages. This is credential distribution to a third-party system (npm registry), not merely author self-harm — the blast radius extends to every downstream consumer of the @kruzer scope.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-003659",
            "import_time": "2026-05-26T05:51:03.598105177Z",
            "sha256": "61e35bbeaf5b8e77f70d8554098ee0ec46a5d1ba7a2315f298a21406db78335f",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T00:30:28Z",
            "versions": [
                "0.0.0-alpha.497"
            ]
        },
        {
            "id": "IN-MAL-2026-003658",
            "versions": [
                "0.0.0-alpha.491"
            ],
            "sha256": "c1bb1f66615de2b0b161721218d2bff4bb0e7100b5cb28b764fcc2e6f1ee671f",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T00:15:29Z",
            "import_time": "2026-05-26T05:51:03.50062953Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @kruzer/lib-ui

Package

Name: @kruzer/lib-ui; View open source insights on deps.dev
Purl: pkg:npm/%40kruzer%2Flib-ui

Affected ranges

Affected versions

0.*

0.0.0-alpha.491

0.0.0-alpha.497

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "742cb22737d628a2050ce613a1a44c6b6a041ca7386fb4c6d6c9adca2a36a973",
            "tlsh": "eea1ff18ce449de36dd206ad95b91642685c900f4e6ab08c3366c11ccfad7ef3236e9d"
        }
    ],
    "package_integrity": [
        {
            "filename": "lib-ui-0.0.0-alpha.497.tgz",
            "hashes": {
                "sha512_sri": "sha512-hHoliVEM5QWao2z6EfgFku6pnwc+L9tTaLgnLPFLfP9c/7vqxXwWU6f5B5VjAnjdn/DXLLbidIUN+mLnaEN1TQ==",
                "sha1": "b694101489b6f58a3d6176f3f0e7ddc7e58c716f"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@kruzer/lib-ui/MAL-2026-4401.json"