MAL-2026-4489

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/auth0-templates-scripts/MAL-2026-4489.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4489
Published
2026-05-21T05:44:38Z
Modified
2026-05-26T06:02:14.564930911Z
Summary
Malicious code in auth0-templates-scripts (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1bc0f40b778be080e2a14dd0097ab772565cc570f5fd471f10e883f259be2db6)

Package name 'auth0-templates-scripts' impersonates the Auth0 (Okta) brand without affiliation. The author field is the placeholder 'OpenSource Contributor'. The main entry (index.js lines 2-6) silently require()s a co-named dependency auth0-templates-scripts-utils (^1.0.5) inside a try/catch that swallows all errors, then prints an 'integration framework initialized' message. This is a loader-shim pattern: the visible package is nearly empty while the auto-installed sibling — which is pulled into the installer's dependency tree on npm install and loaded on every require('auth0-templates-scripts') — carries the actual code, hidden from inspection of this tarball. The combination of brand-name impersonation, placeholder author metadata, and a silent error-swallowing shim that delegates execution to a co-named transitive is the canonical namespace-abuse dropper shape.

Database specific 
{
    "malicious-packages-origins": [
        {
            "sha256": "1bc0f40b778be080e2a14dd0097ab772565cc570f5fd471f10e883f259be2db6",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T06:15:44Z",
            "versions": [
                "80.0.4"
            ],
            "id": "IN-MAL-2026-003756",
            "import_time": "2026-05-26T05:51:15.228486767Z"
        },
        {
            "sha256": "83d0e8b6d3b7847b1409fb341e749cfd75fe4b0445e0f11a5042817dde29287b",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T05:45:23Z",
            "id": "IN-MAL-2026-003749",
            "import_time": "2026-05-26T05:51:14.487478174Z",
            "versions": [
                "80.0.1"
            ]
        },
        {
            "sha256": "9ae04c43a548d234c87b09405f4c7b012454f5352b1351318d1a8849e3cad8c0",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T06:17:54Z",
            "import_time": "2026-05-26T05:51:15.335157703Z",
            "versions": [
                "80.0.4"
            ],
            "id": "IN-MAL-2026-003757"
        },
        {
            "source": "amazon-inspector",
            "sha256": "be512846c47dcba2066ef022d0ffce73f2b74b9ad04268041f438ec920cc57b4",
            "modified_time": "2026-05-21T05:44:38Z",
            "versions": [
                "80.0.1"
            ],
            "id": "IN-MAL-2026-003748",
            "import_time": "2026-05-26T05:51:14.38973346Z"
        }
    ]
}
References
Credits

Affected packages

npm / auth0-templates-scripts

Package

Name
auth0-templates-scripts
View open source insights on deps.dev
Purl
pkg:npm/auth0-templates-scripts

Affected ranges

Affected versions

80.*
80.0.1
80.0.4

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/auth0-templates-scripts/MAL-2026-4489.json"
indicators 
{
    "domains": [
        "db.local",
        "lan",
        "google.internal",
        "corp.local",
        "vault.internal",
        "internal.jira.local",
        "kubernetes.default",
        "gitlab.internal",
        "jenkins.local",
        "istio-ingressgateway.istio-system.svc.cluster.local",
        "kubernetes.default.svc.cluster.local",
        "ec2.internal",
        "active-directory.local",
        "redis.local",
        "mongodb.internal",
        "home",
        "internal",
        "intranet.local",
        "gitlab.local",
        "azure.internal",
        "consul.service.consul",
        "kubernetes.default.svc",
        "redis.internal",
        "postgres.local",
        "rancher.internal",
        "compute.internal",
        "jenkins.internal"
    ],
    "package_integrity": [
        {
            "filename": "auth0-templates-scripts-80.0.4.tgz",
            "hashes": {
                "sha1": "ebc11b5dde0c90216c22927d6e7605d9487fffb6",
                "sha512_sri": "sha512-zGwNND/xYrko1UgzGzt6tSVQPjx9Q5Sk9I3t6Z7wbgt6GmRETY1xiQfCHDzeaNn64puF5FMOs+Pi70P+R+PtFg=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "index.js",
            "tlsh": "76d0a7854da6e137433406a2d7248b10aae1d9750a539451349891762394cd0464ada8",
            "sha256": "4caa2d5760dfed56f3ab0c9bdfd636d2ee2e88d71aa5f0124b02d252a30dd0c0"
        }
    ]
}
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]