MAL-2026-4431

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@scp3500/openvl/MAL-2026-4431.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4431

Withdrawn

2026-05-26T18:23:57Z

Published

2026-05-20T12:58:26Z

Modified

2026-05-27T00:32:05.626644285Z

Summary

Malicious code in @scp3500/openvl (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (fee1ab6796d8af462e9f00e82a28545b72eae4d9d9f0ab0f36ca4b09cd29487c)

scripts/mcpserver.js loads childprocess, fs, and http, reads from process.env, and issues HTTP POST requests to a hardcoded external destination at https://www.yysc.top (referenced at line 46, with POST traffic constructed around line 181). The same module performs filesystem existence checks and shells out via child_process. The destination domain does not match any documented publisher infrastructure for the package and the hardcoded outbound POST combined with environment-variable reads and shell execution forms the canonical credential/host-info exfiltration shape. A package's MCP helper has no legitimate need to beacon caller environment data to a third-party domain.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-003534",
            "import_time": "2026-05-26T05:50:48.653957001Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.40"
            ],
            "modified_time": "2026-05-20T12:58:26Z",
            "sha256": "fee1ab6796d8af462e9f00e82a28545b72eae4d9d9f0ab0f36ca4b09cd29487c"
        }
    ]
}

References

https://www.npmjs.com/package/@scp3500/openvl/v/1.0.40

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @scp3500/openvl

Package

Name: @scp3500/openvl; View open source insights on deps.dev
Purl: pkg:npm/%40scp3500%2Fopenvl

Affected ranges

Affected versions

1.*

1.0.40

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@scp3500/openvl/MAL-2026-4431.json"

indicators

{
    "package_integrity": [
        {
            "filename": "openvl-1.0.40.tgz",
            "hashes": {
                "sha1": "685cdc47b251cf88463005f2a014e92fa4e93f7e",
                "sha512_sri": "sha512-EeUKeNxxlUCxyk9Bwu4GsKAT4osmXwWi97aalBCxc/wuUI9phFNAMy+ZINFlzYNIaM5Q18JEmRlHPU+LPruQvw=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "scripts/mcp_server.js",
            "sha256": "f9b9de6adc9c7ba979c85422b64b46f2bc9f196476e2a60f4191e2f34bbc1a04",
            "tlsh": "2202c9ca85f766b68563926d074fd00eb229f5577109caa4fadc83116f8017883b3f9d"
        }
    ]
}