MAL-2026-4462
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@vino.tian/vibe-kanban/MAL-2026-4462.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4462
- Withdrawn
- 2026-05-26T21:14:22Z
- Published
- 2026-05-21T14:20:57Z
- Modified
- 2026-05-27T00:32:05.718324713Z
- Summary
- Malicious code in @vino.tian/vibe-kanban (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (7f1533bb7e55b1bcd10291aa9f19e2a5cbe5755a7a6a7343d38fbd3ff8064a1f)
This package is published as
@vino.tian/vibe-kanbanand copies its README, name, and feature description from BloopAI's legitimatevibe-kanbanproject, but its binary distribution channel is a different, unrelated GitHub account. When the installed CLI is invoked (npx @vino.tian/vibe-kanban),bin/cli.jsconstructs a release-asset URL of the formhttps://github.com/tianweilong/deploy-center/releases/download/<tag>/<platform>.{zip,tar.gz}, downloads the archive, extracts it, and runs the resulting binary viaexecSync("${bin}", { stdio: 'inherit' }). A SHA-256 check is performed against a checksums file, but the checksums file is fetched from the sametianweilong/deploy-centerrepo as the archive, so the verification provides no protection — whoever controls that repo controls both the bytes and the expected hash. Additional integrity concerns:package.jsondeclares"main": "index.js"but noindex.jsis shipped, and an unsubstituted__R2_PUBLIC_URL__placeholder remains in the desktop-installer path. Net effect: a user who installs and runs this package executes arbitrary bytes served by an attacker-controlled GitHub account under the guise of a known OSS tool. - Database specific
{ "malicious-packages-origins": [ { "sha256": "6714cac258173856d447c9fe51c19f5b96a59c3c5c3d0bb64167da5792c281fa", "id": "IN-MAL-2026-004665", "source": "amazon-inspector", "modified_time": "2026-05-25T14:03:09Z", "versions": [ "0.1.4420" ], "import_time": "2026-05-26T05:53:02.921127792Z" }, { "sha256": "7f1533bb7e55b1bcd10291aa9f19e2a5cbe5755a7a6a7343d38fbd3ff8064a1f", "id": "IN-MAL-2026-003867", "source": "amazon-inspector", "modified_time": "2026-05-21T14:20:57Z", "versions": [ "0.1.4413" ], "import_time": "2026-05-26T05:51:28.818950425Z" }, { "sha256": "99c6b49d225e4520c1357625e723ccb4c5e1c8a70abbfd8498d1e07f32c4b624", "id": "IN-MAL-2026-004506", "source": "amazon-inspector", "modified_time": "2026-05-24T12:54:43Z", "versions": [ "0.1.4418" ], "import_time": "2026-05-26T05:52:44.081621756Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @vino.tian/vibe-kanban
Package
- Name
- @vino.tian/vibe-kanban
- View open source insights on deps.dev
- Purl
- pkg:npm/%40vino.tian%2Fvibe-kanban
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@vino.tian/vibe-kanban/MAL-2026-4462.json"
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"tlsh": "7333d9092af7512202b3607a5e8f24157675c7172609ed5cfaece7e02f95138c6f3ba8",
"sha256": "2c441691c83cfcc711e0b1de4db774fbf60618e270b5f2cc2717be7bf302b988",
"path": "bin/cli.js"
},
{
"sha256": "05082787388040207f136a3a68867bd3196535723474713af3d62b9c79665c8c",
"tlsh": "82117620cab8a8b301dd55faec790283e5725a278968fd1c73c2411c0b6e17a10beb6c",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "vibe-kanban-0.1.4420.tgz",
"hashes": {
"sha1": "90d8b8d5c7ac6fdce3bd3437793979a343522fb8",
"sha512_sri": "sha512-yVIhzLN6T3dXGjCFhKffohfrMjEJHsls4dZ0b4YUOXT/B4T3zFt66SRITxST/Pu9vrti5ZKu24rSP2rbDZiqow=="
}
}
]
}