MAL-2026-4490

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/auth0-templates-scripts-utils/MAL-2026-4490.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4490
Published
2026-05-21T05:52:53Z
Modified
2026-05-26T06:02:10.493872338Z
Summary
Malicious code in auth0-templates-scripts-utils (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ed9a505fcbf6daef28b6625dcbde65ea1dd00b01c1a684debfdedfc7e5bc3643)

Package name impersonates the Auth0 ecosystem. Its postinstall hook (node index.js) runs unconditionally on npm install and performs a multi-stage data theft against the installer: (1) collects hostname, username, architecture, cwd, local IPs, /etc/resolv.conf,.git HEAD, UID/GID, the host project's package.json (name/version/repo) by walking parent directories, local and home .npmrc registry/scope settings, ~40 CI/CD environment variables (GITHUB_*, GITLAB_*, BITBUCKET_*, AWS CodeBuild, Vercel, etc.), and presence flags for ~/.ssh, ~/.aws, ~/.kube, ~/.docker, ~/.npm, ~/.gitconfig, ~/.cargo, ~/.ngrok; (2) when running in cloud, queries the instance metadata service at decimal-encoded 169.254.169.254 (2852039166) to extract live AWS IMDSv2 STS tokens, Azure IMDS OAuth tokens, and GCP service-account access tokens, including a 40-character prefix of each token in the payload; (3) DNS-probes ~30 internal-only hostnames (kubernetes.default.svc.cluster.local, vault.internal, consul.service.consul, gitlab.internal, jenkins.internal, ec2.internal, azure.internal, rancher.internal, etc.) to map the victim's internal infrastructure for lateral movement. The exfiltration destination dep-update-ci-02.lapxa354.workers.dev is base64-cloaked (Buffer.from("ZGVwLXVwZGF0ZS1jaS0wMi5sYXB4YTM1NC53b3JrZXJzLmRldg==","base64").toString()) and the data is sent in fragmented chunks via https.get with a 60-second delay as evasion. Code at index.js trims its own -utils suffix to derive an inferred host-project name and reports the host project rather than itself, confirming intent as a supply-chain delivery vehicle. User-Agent is MalekAbuLialaResearch/1.0.

Database specific 
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-21T05:52:53Z",
            "versions": [
                "1.0.4"
            ],
            "sha256": "3ea3232ddda09bf884bbf590620c220141db593fe5b54073d0cd9e2d78a48e90",
            "id": "IN-MAL-2026-003751",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:14.687097929Z"
        },
        {
            "modified_time": "2026-05-21T05:53:32Z",
            "versions": [
                "1.0.4"
            ],
            "sha256": "54baa6f0ec5a8bf259c5984579654ff2c4e2cc7cabab1b8e746c5e92d90072a2",
            "id": "IN-MAL-2026-003752",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:14.799342147Z"
        },
        {
            "import_time": "2026-05-26T05:51:15.108738161Z",
            "versions": [
                "1.0.5"
            ],
            "sha256": "b234a9ab8e82e317bb9b3c94fb6b6cad46167662e2d56a43a98083ca3d3ea43f",
            "id": "IN-MAL-2026-003755",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T06:09:41Z"
        },
        {
            "modified_time": "2026-05-21T06:09:32Z",
            "versions": [
                "1.0.5"
            ],
            "sha256": "ed9a505fcbf6daef28b6625dcbde65ea1dd00b01c1a684debfdedfc7e5bc3643",
            "id": "IN-MAL-2026-003754",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:14.994655515Z"
        }
    ]
}
References
Credits

Affected packages

npm / auth0-templates-scripts-utils

Package

Name
auth0-templates-scripts-utils
View open source insights on deps.dev
Purl
pkg:npm/auth0-templates-scripts-utils

Affected ranges

Affected versions

1.*
1.0.4
1.0.5

Database specific

indicators 
{
    "domains": [
        "gitlab.internal",
        "istio-ingressgateway.istio-system.svc.cluster.local",
        "redis.local",
        "postgres.local",
        "vault.internal",
        "kubernetes.default.svc",
        "jenkins.internal",
        "db.local",
        "lan",
        "internal",
        "intranet.local",
        "ec2.internal",
        "google.internal",
        "active-directory.local",
        "internal.jira.local",
        "kubernetes.default",
        "jenkins.local",
        "redis.internal",
        "home",
        "rancher.internal",
        "corp.local",
        "compute.internal",
        "mongodb.internal",
        "gitlab.local",
        "kubernetes.default.svc.cluster.local",
        "azure.internal",
        "consul.service.consul"
    ],
    "evidence_files": [
        {
            "sha256": "1d9384cb0cbf230c2e5fc736e349f0a0db4e5696b46b4c0c88c23c96ed105173",
            "tlsh": "1a03a7195126261186b1f7fb9b439824f7376273224286c83eec5b446fb3168d1e2ff8",
            "path": "index.js"
        },
        {
            "sha256": "b5e8a383c494ce83ee53fd2b4e80b06e9a7ac83afc4c50b809ada514a1633604",
            "tlsh": "cff0bb27d9709e7346749525e9394616f071cf2f15314c0b34fe622c2bb26a2559ef48",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "auth0-templates-scripts-utils-1.0.4.tgz",
            "hashes": {
                "sha512_sri": "sha512-1Lxd7BsNbgIjCg3yGEuvjfgi4KMhaZFvUC+vAuIwaia5W7VqwRNCdvyq3qGLqj6hmqR7S764JonrXKABsqaL6g==",
                "sha1": "ad3c2540e1d1e4c9f475c43706c0e67e40759b8b"
            }
        }
    ]
}
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/auth0-templates-scripts-utils/MAL-2026-4490.json"