MAL-2026-4496

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bandkit/MAL-2026-4496.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4496
Published
2026-05-25T23:10:12Z
Modified
2026-06-12T20:01:47.333957050Z
Summary
Malicious code in bandkit (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (687dcebaf30461a2325de226851b84abfb6db6359a12c9392ece9c5ff02a620d)

bandkit ships a React component (BandPanel) that, when rendered without an explicit strategyWalletAddress prop — the configuration shown in the package's own README — deploys a BandStrategy.sol contract with an immutable strategyWallet pulled from dist/defaultStrategyWallet.js. That file stores a 20-byte Ethereum address as cipher XOR key (two Uint8Array literals in the same file) which decodes to 0xe9e41c03d5b0b6fb543f4cd1cd8ad81ece4c830f. dist/useStrategyContractDeployment.js wires this in via args: [options.strategyWalletAddress?? getDefaultStrategyWallet()]. When end users of the installer's UI click 'Start Bot', BandStrategy.activateStrategyEngine() executes (bool ok, ) = strategyWallet.call{value: amount}(""), irrevocably transferring the depositor's entire ETH balance to the hardcoded address. The defaultStrategyWallet.js file even contains a header comment describing the XOR layer as 'cosmetic obfuscation... friction against casual npm-source scrapers', while the README explicitly states 'The package contains no hardcoded wallet addresses' and 'No hidden destinations'. The combination of (a) a default-recipient address embedded in the package, (b) deliberate obfuscation acknowledged in-source, and (c) a README that denies the address's existence is a silent-relay payload: a developer who follows the README ships a fund-stealing dApp to their own users. Installer harm: the installer publishes a UI that funnels its users' deposits to the package author.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.7"
            ],
            "sha256": "328d601aed275e0122f2d0be8b7c5b76b920aa0af6aa57e7bd64ab540a0c0db3",
            "modified_time": "2026-05-25T23:10:12Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:53:17.712082388Z",
            "id": "IN-MAL-2026-004795"
        },
        {
            "versions": [
                "1.0.9"
            ],
            "sha256": "f17eed05248e00e40ac995b4a723da03f1e854a1445b2d99c6a52507511d3795",
            "modified_time": "2026-05-25T23:33:05Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:53:18.284819359Z",
            "id": "IN-MAL-2026-004800"
        },
        {
            "versions": [
                "1.0.9"
            ],
            "sha256": "6d7546959efc9cf15944286e0fe5cce44965113def72bea55866d8a130937f89",
            "modified_time": "2026-05-25T23:33:05Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:53:18.145850241Z",
            "id": "IN-MAL-2026-004799"
        },
        {
            "versions": [
                "1.0.7"
            ],
            "sha256": "f1341a067075e690ff81c24889d925809a5c29a1a402ebfadaaf8b5f36331c9f",
            "modified_time": "2026-05-25T23:10:12Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-004794",
            "import_time": "2026-05-26T05:53:17.610898565Z"
        },
        {
            "versions": [
                "1.0.10"
            ],
            "sha256": "c2586b0e7114265fe8e85fee87db4b264f1dce9a574916b333af41870369e44a",
            "modified_time": "2026-05-26T11:26:08Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T13:32:46.375461088Z",
            "id": "IN-MAL-2026-004902"
        },
        {
            "versions": [
                "1.0.10"
            ],
            "sha256": "8d03553469ab55441dd89101f56b8872adee9194c6390b76e77f58b662de46dc",
            "modified_time": "2026-05-26T11:26:10Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T13:32:46.433733788Z",
            "id": "IN-MAL-2026-004903"
        },
        {
            "versions": [
                "1.0.11"
            ],
            "sha256": "018a4cd7e1cf6b632a8d58acdbfc15f48dffb0428a71638b2d040152260e13cf",
            "modified_time": "2026-05-26T14:32:19Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T15:07:42.690325968Z",
            "id": "IN-MAL-2026-004918"
        },
        {
            "versions": [
                "1.0.11"
            ],
            "sha256": "c12036b3e8a5f609179a8f9a6109178d5cd21a40493140d54324c5e499912c07",
            "modified_time": "2026-05-26T14:32:15Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T15:07:42.5614868Z",
            "id": "IN-MAL-2026-004917"
        },
        {
            "versions": [
                "1.0.16"
            ],
            "sha256": "687dcebaf30461a2325de226851b84abfb6db6359a12c9392ece9c5ff02a620d",
            "modified_time": "2026-06-12T19:11:15Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T19:44:19.766645641Z",
            "id": "IN-MAL-2026-006205"
        },
        {
            "versions": [
                "1.0.14"
            ],
            "sha256": "ea0489597e99751b2d16ab93eb3f71a05c62b282f723c27aa2043808f7b99464",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:11:13Z",
            "import_time": "2026-06-12T19:44:19.665072182Z",
            "id": "IN-MAL-2026-006204"
        }
    ]
}
References
Credits

Affected packages

npm / bandkit

Package

Affected ranges

Affected versions

1.*
1.0.7
1.0.9
1.0.10
1.0.11
1.0.14
1.0.16

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "bandkit-1.0.9.tgz",
            "hashes": {
                "sha512_sri": "sha512-kksnEC+wcyf9moju5KAQhcIZdvwy0Z0xR9dV0uDS4EW3ihlAePKJ8iFsG3B7yzHp0HvR3qHDLIk6a5eqQwvHtQ==",
                "sha1": "42528be918cdb17e13b6f9a41e609d90ed36399e"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "666411bb4696a85222f502e377c61ab6fe5d845be70cc092cdcf5df87de98b3d",
            "path": "dist/useStrategyContractDeployment.js",
            "tlsh": "a5222c94b2f3530a4ca36479064fd1147d227e07710dc9513bbc9b229fd84a5caebbe9"
        },
        {
            "sha256": "d1620d87aff5eb6b9e44d319033008454d3e9bbd70d8cbd6061bf96dfd970884",
            "path": "dist/defaultStrategyWallet.js",
            "tlsh": "9c311f0a3f905af2008bc1ab468d41e3ea8a28d3b61958dcb05e45149f6183dc5feed7"
        }
    ],
    "domains": [
        "pkg.pr.new"
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bandkit/MAL-2026-4496.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]