MAL-2026-4495

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/banana-stand/MAL-2026-4495.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4495

Published

2026-05-20T13:15:42Z

Modified

2026-05-26T06:02:10.966121909Z

Summary

Malicious code in banana-stand (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ab14273a518e66f357d229806e82cb2f4ce211cae4bc5de0f2d15eeab67fb720)

On npm install, the package's install lifecycle hook runs node index.js, which loads lib/core.js. That module reads os.userInfo().username, os.hostname(), and the basename of process.cwd(), then issues a dns.resolve4 lookup for lwbanana.<username>.<hostname>.<cwd>.<unixtime>.oob.sl4x0.xyz, smuggling host identifiers out-of-band via DNS to an author-controlled domain. The same path also fires on require('banana-stand') because main points at the same entry. Strings used to construct the exfil (os, dns, userInfo, hostname, cwd, resolve4, and the destination domain oob.sl4x0.xyz) are concealed as String.fromCharCode byte arrays in lib/6ad264.js and lib/b02e30.js and decoded at runtime, indicating intentional concealment of the exfiltration channel.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-20T13:15:43Z",
            "versions": [
                "9.9.11"
            ],
            "sha256": "6557254afd81880fdee5e96ba7839759a16db9c60dbc25efc39be957f488a9a2",
            "id": "IN-MAL-2026-003541",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:49.406932276Z"
        },
        {
            "modified_time": "2026-05-20T13:15:42Z",
            "versions": [
                "9.9.11"
            ],
            "sha256": "ab14273a518e66f357d229806e82cb2f4ce211cae4bc5de0f2d15eeab67fb720",
            "id": "IN-MAL-2026-003540",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:49.298276454Z"
        }
    ]
}

References

https://www.npmjs.com/package/banana-stand/v/9.9.11

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / banana-stand

Package

Name: banana-stand; View open source insights on deps.dev
Purl: pkg:npm/banana-stand

Affected ranges

Affected versions

9.*

9.9.11

Database specific

indicators

{
    "domains": [
        "lwbanana.scan.scandc596b761e5.bananastand.1779282910.oob.sl4x0.xyz"
    ],
    "evidence_files": [
        {
            "sha256": "397d1435e7291ed6b02b8627033a110124d250a54290b3a8f9f248573fd6a2d4",
            "tlsh": "38014929a393c08f97e096d0361a03d18499c380e7ce80a5fa7c4a87904e7d1cac5a96",
            "path": "lib/core.js"
        },
        {
            "sha256": "15afa1966ef07bd0c2f3c79a45e095a96999f6fc852c819de819ae9a55e2ee99",
            "tlsh": "26e068173313c94fa1c80bf7790050a0aa0d8f58a11dc0dab91c678600af447d0c0272",
            "path": "lib/b02e30.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-yNZFhbTvNdir8kMquCAPN0USOCYCA1ZC6DqMoJ4cCX0/fiKrjO+C7UPlInbz00IhkELZXfFLq+CXtL0dIQP+vA==",
                "sha1": "4c7da9e76a5d521d5074b6371609ac04c08736ea"
            },
            "filename": "banana-stand-9.9.11.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/banana-stand/MAL-2026-4495.json"