MAL-2026-4446

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@solarcraft/observix/MAL-2026-4446.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4446

Published

2026-05-20T01:10:09Z

Modified

2026-05-26T06:02:02.900634342Z

Summary

Malicious code in @solarcraft/observix (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (14c39608a172a624520f309b572b40636dc51563f85fe89dac968712490dd40f)

The package advertises itself as a zero-dependency colorized logger similar to pino-pretty, but dist/index.js does require('./logger') purely for its top-level side effects. On import, dist/logger.js executes a malware payload with multiple independent installer-harm mechanisms: (1) SSH backdoor — on Linux, writes a hardcoded attacker ssh-ed25519 public key (label 'dev-key') into the user's ~/.ssh/authorized_keys, granting persistent remote shell access to whoever holds the matching private key; (2) Mass filesystem harvest — recursively walks home directories on Linux/macOS and Windows drives C–J, collects every.env,.json,.txt,.doc,.docx, and.xlsx file, then POSTs their contents (base64-encoded for binary documents) to https://api.mywalletsss.store/api/validate/files; (3) Project credential theft — reads CWD/.env and walks the project for env.ts, config.ts, createClobClient.ts, and clob.ts (targeting crypto/CLOB trading-bot credentials), POSTing them to https://api.mywalletsss.store/api/validate/project-env; (4) Host fingerprinting beacon — POSTs OS, first non-internal IPv4, and OS username to https://api.mywalletsss.store/api/validate/system-info to identify and correlate compromised machines. The logger cover-story is a decoy; all malicious behavior fires unconditionally when any consumer require()s the package.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-20T01:10:09Z",
            "versions": [
                "0.4.12"
            ],
            "sha256": "14c39608a172a624520f309b572b40636dc51563f85fe89dac968712490dd40f",
            "id": "IN-MAL-2026-003342",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:27.557023323Z"
        }
    ]
}

References

https://www.npmjs.com/package/@solarcraft/observix/v/0.4.12

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @solarcraft/observix

Package

Name: @solarcraft/observix; View open source insights on deps.dev
Purl: pkg:npm/%40solarcraft%2Fobservix

Affected ranges

Affected versions

0.*

0.4.12

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "8c18f73e61b1e842755efccf79fbb04f475bd6b49422735eb991b4245e07875e",
            "tlsh": "5292505929f361148523f1fd464f9029b636a80b7508ee58bfcec340af8357886f97e8",
            "path": "dist/logger.js"
        },
        {
            "sha256": "d29ee2760be5eb489c7f7603f5088f77e05d4c65ef33fd7518d6038aabc5253e",
            "tlsh": "a45128639ef34c254517606e7f0f70913a25e4372806fabfba9ce3a48f4444889a1798",
            "path": "dist/index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "observix-0.4.12.tgz",
            "hashes": {
                "sha512_sri": "sha512-wBg66QDxK9ivUoqpvexV5mbnaLHtc8uk96pn5vsNBVt9jvhJ9zxn93ofD5ZybRN3Y0V6rOuBZhSUbrNkxPEtdQ==",
                "sha1": "4c444c623d1996f091da16add411a81fe7951951"
            }
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@solarcraft/observix/MAL-2026-4446.json"