MAL-2026-4426

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@riteshkumar04/stack-audit/MAL-2026-4426.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4426

Withdrawn

2026-05-26T21:41:23Z

Published

2026-05-19T23:11:48Z

Modified

2026-05-27T00:32:05.694498035Z

Summary

Malicious code in @riteshkumar04/stack-audit (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (145196e93f9e6006134b35a8d5abfe7fa0de18f2d52b6712d8b2a5ec036526bc)

On npm install, scripts/install.js runs curl -sSL https://raw.githubusercontent.com/neutron420/StackAudit/main/scripts/install.sh | sh (or the PowerShell equivalent iwr... install.ps1 | iex). The fetched script queries the GitHub API for the 'latest' release, downloads a tarball, and runs sudo mv stack /usr/local/bin/. Both the shell-script URL (mutable main branch) and the binary URL (floating 'latest' release) are unpinned, and no hash or signature verification is performed on either. The postinstall hook also escalates to root via sudo without user consent. While the fetch destination matches the package's declared publisher and purpose (installing a Go CLI named stack), the combination of mutable-branch curl|sh, unpinned 'latest' binary, no integrity check, and silent sudo elevation means any compromise of the author's GitHub account — or MITM of the fetch chain — yields immediate root code execution on every installer. This is the aggressive-installer shape that crosses into install-time RCE because the sudo escalation amplifies the blast radius far beyond the package's own directory.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "145196e93f9e6006134b35a8d5abfe7fa0de18f2d52b6712d8b2a5ec036526bc",
            "source": "amazon-inspector",
            "modified_time": "2026-05-19T23:11:48Z",
            "id": "IN-MAL-2026-003293",
            "versions": [
                "1.0.8"
            ],
            "import_time": "2026-05-26T05:50:21.960104353Z"
        },
        {
            "sha256": "ee1245b6092f3f484ae9795cc6322e832f1a8d12c1b336c859cfb1f8684a6122",
            "source": "amazon-inspector",
            "modified_time": "2026-05-19T23:47:23Z",
            "versions": [
                "1.0.11"
            ],
            "id": "IN-MAL-2026-003299",
            "import_time": "2026-05-26T05:50:22.73326584Z"
        },
        {
            "sha256": "324156e07e96dee7fdc5aff5f6e63c53f79b7780c16e7f753d799ab12ffe87b5",
            "source": "amazon-inspector",
            "modified_time": "2026-05-19T23:19:07Z",
            "versions": [
                "1.0.7"
            ],
            "id": "IN-MAL-2026-003296",
            "import_time": "2026-05-26T05:50:22.43150021Z"
        },
        {
            "sha256": "3ae4201374d32fda52c90df99c3f21ed60a65484a8997faa2c2b04ed40027a98",
            "source": "amazon-inspector",
            "modified_time": "2026-05-19T23:19:07Z",
            "versions": [
                "1.0.7"
            ],
            "id": "IN-MAL-2026-003295",
            "import_time": "2026-05-26T05:50:22.339996418Z"
        },
        {
            "sha256": "742a20160c1f0dc7ed55bc13a0274bd7820323e6ea1816ee61dcf6c9e23853dd",
            "source": "amazon-inspector",
            "modified_time": "2026-05-19T23:47:24Z",
            "versions": [
                "1.0.11"
            ],
            "id": "IN-MAL-2026-003300",
            "import_time": "2026-05-26T05:50:22.825345646Z"
        },
        {
            "sha256": "88e2fc95d5646c606ecdef132b78859dea05a26d1aed4d5e3d1d09c2cbae6e8b",
            "source": "amazon-inspector",
            "modified_time": "2026-05-19T23:11:49Z",
            "id": "IN-MAL-2026-003294",
            "versions": [
                "1.0.8"
            ],
            "import_time": "2026-05-26T05:50:22.052551534Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @riteshkumar04/stack-audit

Package

Name: @riteshkumar04/stack-audit; View open source insights on deps.dev
Purl: pkg:npm/%40riteshkumar04%2Fstack-audit

Affected ranges

Affected versions

1.*

1.0.7

1.0.8

1.0.11

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@riteshkumar04/stack-audit/MAL-2026-4426.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "77e137d000f312e0cf00f1bc9a507d59a5c18f6b41a48aa5b5a93c441e128512",
            "tlsh": "c2211e9246e24f34bd708a95aaa3102a38cbc4713315f910a5ee488fdf4126807f2abd",
            "path": "scripts/install.js"
        }
    ],
    "domains": [
        "release-assets.githubusercontent.com",
        "raw.githubusercontent.com",
        "api.github.com",
        "github.com"
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-Kl66je/vpYhCTHmfGdxDW/bt18GJeJrkmNAdSElrjpVwT7pFVM3Itoihm89X4s5Vglzv7Lm5Ns/8GJ6dFuUDAg==",
                "sha1": "7f2965608d49c79ae591c30d7190c72432acf0dc"
            },
            "filename": "stack-audit-1.0.8.tgz"
        }
    ]
}