MAL-2026-4428

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@rspack-debug/core/MAL-2026-4428.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4428
Withdrawn
2026-05-26T21:41:23Z
Published
2026-05-20T12:16:10Z
Modified
2026-05-27T00:32:05.668261989Z
Summary
Malicious code in @rspack-debug/core (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c05c92aa1796614da12b282390f160fef2a5c63aba9a3257af956c19df341ce5)

Package @rspack-debug/core@2.0.4 impersonates the popular @rspack/core bundler. The README, description ('Fast Rust-based bundler for the web with a modernized webpack API'), homepage (rspack.rs), and repository pointer are copied verbatim from the legitimate package. The package.json declares a single runtime dependency using npm's package-aliasing syntax: "@rspack/binding": "npm:@rspack-debug/binding@2.0.4". This forces every install to substitute the legitimate native binding @rspack/binding with the same-author-controlled sibling @rspack-debug/binding under the impersonating scope. The native binding is loaded by @rspack/core's main module, so any code shipped in @rspack-debug/binding executes when a consumer imports the package or runs the bundler. The combination of (a) a ≤1-edit name impersonation of a top-tier registry package, (b) verbatim cloning of the upstream identity, and (c) a dependency-alias redirect of the native binding to a sibling under the typosquat scope is the canonical delivery vehicle for malicious native code through a typosquat front.

Database specific 
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-003525",
            "versions": [
                "2.0.4"
            ],
            "sha256": "7d30900b1c9603b37fb438ab67bc3b6991250501d2a2571237fcdfe94e25e46e",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T12:19:31Z",
            "import_time": "2026-05-26T05:50:47.575928381Z"
        },
        {
            "id": "IN-MAL-2026-003524",
            "versions": [
                "2.0.4"
            ],
            "sha256": "c05c92aa1796614da12b282390f160fef2a5c63aba9a3257af956c19df341ce5",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T12:16:10Z",
            "import_time": "2026-05-26T05:50:47.47245143Z"
        }
    ]
}
References
Credits

Affected packages

npm / @rspack-debug/core

Package

Name
@rspack-debug/core
View open source insights on deps.dev
Purl
pkg:npm/%40rspack-debug%2Fcore

Affected ranges

Affected versions

2.*
2.0.4

Database specific

cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators 
{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "0105ed12eb6453927c401616ff884ed09ab83cc6163632af5eacf9a119eb3380",
            "tlsh": "6541bb72c9684d630ad820d5a8390253a16908574c89bc0c37ca932c9f4dbdf35fafad"
        }
    ],
    "package_integrity": [
        {
            "filename": "core-2.0.4.tgz",
            "hashes": {
                "sha512_sri": "sha512-sOm9WZi6dwjrZIedUra4QuIzUX4rA/sRXpHi0zUAuox50jXeoCkaQa16gZPZg9A7YEgNVEN6c+jO4Wx1IHEJ+Q==",
                "sha1": "244c0b6d3664952bea354ed4f85992ae30fb8bac"
            }
        }
    ],
    "domains": [
        "34.7.16.104.in-addr.arpa"
    ]
}
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@rspack-debug/core/MAL-2026-4428.json"