MAL-2026-4404

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@loans/vehicles-api/MAL-2026-4404.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4404
Aliases
  • GHSA-fp77-68vp-78c2
Published
2026-05-25T15:35:06Z
Modified
2026-05-28T15:31:50.458664909Z
Summary
Malicious code in @loans/vehicles-api (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (23e2b702fc2de01ebe69a6d2baa4766782db91842f096c04b4b5d019105cd91b)

@loans/vehicles-api is a dependency-confusion package targeting an internal @loans npm scope (claimed homepage docs.loans.io, README directs users to a private registry npm.loans.io) but published to the public npm registry with a malicious scripts/postinstall.js. On npm install, the postinstall script (1) downloads a per-OS payload from https://oob.moika.tech/payload/{linux,mac,win}, writes it to os.tmpdir() as.loansinit.sh/.bat, chmods 0755, and spawns it via /bin/sh or cmd.exe with no hash/signature verification — unconditional install-time remote code execution; (2) enumerates process.env for credential-shaped keys (npmtoken, npmconfigauthtoken, nodeauthtoken, npmconfig__auth, githubtoken, awsaccess_keyid, awssecretaccesskey, awssessiontoken, artifactorytoken, nexustoken) and POSTs the values to https://oob.moika.tech/report; (3) reads ~/.npmrc, /etc/npmrc,./.npmrc, and../.npmrc (which commonly contain registry _authToken entries) and exfiltrates their contents; (4) collects host fingerprint (hostname, username, platform, arch, cwd, node/npm versions, full PATH, CI flags) and self-identifies in the JSON payload as poc: 'dependency-confusion-npm'. The destination domain oob.moika.tech does not match the claimed publisher (loans.io). Any installer whose internal resolver selects this public version is fully compromised at install time.

Source: ghsa-malware (5d62d4ca15489ece64967213da844d77116eb713dd14885fcceddb4520c37086)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific 
{
    "malicious-packages-origins": [
        {
            "import_time": "2026-05-26T05:53:08.063126991Z",
            "versions": [
                "9.9.10"
            ],
            "sha256": "051ff47d075020d6d8f069e226173699c0dd69727c77f40f6050c4bf6ec8cd2a",
            "id": "IN-MAL-2026-004710",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T15:35:06Z"
        },
        {
            "modified_time": "2026-05-25T15:35:06Z",
            "versions": [
                "9.9.10"
            ],
            "sha256": "23e2b702fc2de01ebe69a6d2baa4766782db91842f096c04b4b5d019105cd91b",
            "id": "IN-MAL-2026-004709",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:53:07.942853962Z"
        },
        {
            "import_time": "2026-05-28T15:25:19.329681328Z",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "SEMVER"
                }
            ],
            "sha256": "5d62d4ca15489ece64967213da844d77116eb713dd14885fcceddb4520c37086",
            "id": "GHSA-fp77-68vp-78c2",
            "source": "ghsa-malware",
            "modified_time": "2026-05-28T13:39:44Z"
        }
    ]
}
References
Credits

Affected packages

npm / @loans/vehicles-api

Package

Name
@loans/vehicles-api
View open source insights on deps.dev
Purl
pkg:npm/%40loans%2Fvehicles-api

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

9.*
9.9.10

Database specific

indicators 
{
    "domains": [
        "oob.moika.tech"
    ],
    "evidence_files": [
        {
            "sha256": "648dea8db26cf6fed89edc5c5439308a167639ecd705961f3a6cfe41f3eeb15c",
            "tlsh": "69c1c8db23fb913503d6b6eae91b6412e623b1033d05e9e4f95c41006f8a56c9673eec",
            "path": "scripts/postinstall.js"
        },
        {
            "sha256": "881ca538e9616e59e52461732a9310b9ef33278e955416fe16557e04d4e3e49f",
            "tlsh": "f5119b36c7398d3316d475e6e9a40502bd724d8b0849fd0c27c3101c4b8e0bb54be27e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-c2HaN7NvzgDnnz945v2kIN0o529Qb64b+l/Ur5ldbxy1HNam43a/uvcaBLTmhXmqYxDNuuOr/8NEILwIhrvBlw==",
                "sha1": "ce2f10a57efd235fc7ea95e57e39f55c28eed211"
            },
            "filename": "vehicles-api-9.9.10.tgz"
        }
    ]
}
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@loans/vehicles-api/MAL-2026-4404.json"