MAL-2026-4473
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@zizie071/libsignal-node/MAL-2026-4473.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4473
- Published
- 2026-05-25T00:32:44Z
- Modified
- 2026-05-26T06:02:07.616414658Z
- Summary
- Malicious code in @zizie071/libsignal-node (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (3e6d5096096e7e958916c5449a7480949135e6af5cd9acd4e1b1edab8c331163)
On require(), index.js schedules install.js which locates the installer's @whiskeysockets/baileys package on disk and overwrites lib/Socket/newsletter.js with an embedded payload (MODIFIEDNEWSLETTERJS). The injected code fetches a JSON list from https://raw.githubusercontent.com/pipih071/SilenceV3/refs/heads/main/ch.json (a mutable, attacker-controlled raw GitHub URL) and uses the installer's authenticated WhatsApp session to silently auto-follow channels listed in that file. install.js writes a marker file (.cache containing 'Iove') under Baileys' node_modules to track the patch and calls process.exit(0) after patching to mask the side effect. The package self-identifies as 'Open Whisper Systems' libsignal for Node.js' under the @zizie071 scope, mimicking the well-known libsignal-node library API surface (SessionBuilder, SessionCipher, etc.) so unsuspecting developers pull it in as a drop-in replacement. Three independent supply-chain harms are present: (1) cross-package tampering — the package mutates a sibling vendor's installed source on the installer's machine, (2) attacker-controlled remote behavior — the patched code reads a mutable URL on each run so the attacker can change targeted channels at any time, (3) namespace abuse / impersonation of a well-known cryptography library to deliver the payload.
- Database specific
{ "malicious-packages-origins": [ { "import_time": "2026-05-26T05:52:50.813201343Z", "versions": [ "3.3.6" ], "sha256": "3e6d5096096e7e958916c5449a7480949135e6af5cd9acd4e1b1edab8c331163", "id": "IN-MAL-2026-004562", "source": "amazon-inspector", "modified_time": "2026-05-25T00:32:44Z" }, { "import_time": "2026-05-26T05:52:50.913350798Z", "versions": [ "3.4.6" ], "sha256": "5a2f3e504408800287317ea48a594dbcccfed211bae02ac9b4dfb5ddc352ae95", "id": "IN-MAL-2026-004563", "source": "amazon-inspector", "modified_time": "2026-05-25T00:32:47Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @zizie071/libsignal-node
Package
- Name
- @zizie071/libsignal-node
- View open source insights on deps.dev
- Purl
- pkg:npm/%40zizie071%2Flibsignal-node
Database specific
indicators
{
"evidence_files": [
{
"sha256": "c86cd05d866b3c1ef4e36cba593765fc6d0346ac6c52325d737f53cd2fe09d50",
"tlsh": "7272b39665fb67a917a37054a67fb0e0b324f243751598627e8c90020f4a2dce9f3bd8",
"path": "install.js"
},
{
"sha256": "334197589b29aa70bc1eb7e40f4aafaaa9760a6d5f41554e0f5f301bee77070e",
"tlsh": "2ef0f024ca15ec3300c47a6a6c71090653a21c638998bd0c33c6880c8f9e19fa7bea6d",
"path": "package.json"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-KZiFa+80QgVF9OB8y899X59kNlycd+KzDELFaOL44Xx7HTUhRjgX6SmSf9uzHBDQWym1etWDB1MMqJ4UvhXjvw==",
"sha1": "e01783195729a5e3849713b0d6c92f9cfab70c15"
},
"filename": "libsignal-node-3.3.6.tgz"
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@zizie071/libsignal-node/MAL-2026-4473.json"