MAL-2026-4510

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cerebrum-core/MAL-2026-4510.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4510

Published

2026-05-21T01:06:31Z

Modified

2026-05-26T06:02:18.019850715Z

Summary

Malicious code in cerebrum-core (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e0ac38481a69f23f9170b098fcd48cd72b82edb969bdd44eb3aa5cc377a13a0d)

On npm install, the package's postinstall hook runs setup.js, which decodes an embedded base64 string into a tar.gz file at ../../../temp_bundle.tar.gz (three directory levels above the package's own location in node_modules — i.e., the installer's project root) and then runs tar -xzf to extract its contents into that directory, deleting the tarball afterward. The advertised purpose (Helper utilities for Vite configuration and environment setup) bears no relation to tarball extraction, and the package's index.js is a stub that only emits two console.log calls. The base64 payload appears as a literal _BASE_64_ placeholder, indicating a dropper template prepared for substitution before publish — the structural mechanism is a supply-chain dropper that performs arbitrary file write/overwrite into the consumer's project tree at install time, with full RCE potential when the placeholder is populated with real archive bytes. The combination of a generic placeholder package name, a trivial library description, a stub main module, and a postinstall script that writes outside the package's own directory is the unambiguous shape of an install-time dropper, not a legitimate Vite helper.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-003671",
            "versions": [
                "1.1.0"
            ],
            "sha256": "e0ac38481a69f23f9170b098fcd48cd72b82edb969bdd44eb3aa5cc377a13a0d",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T01:06:31Z",
            "import_time": "2026-05-26T05:51:04.872028857Z"
        }
    ]
}

References

https://www.npmjs.com/package/cerebrum-core/v/1.1.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / cerebrum-core

Package

Name: cerebrum-core; View open source insights on deps.dev
Purl: pkg:npm/cerebrum-core

Affected ranges

Affected versions

1.*

1.1.0

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "setup.js",
            "sha256": "58f46ded66c1747db7998968203280fcf6b90febc60d8d16e5a3df2b644d3a54",
            "tlsh": "88e0abe107c153f4d8a0cec3eb10ba2e5243d1937b03d6c0c16c12ca2bd369154b2cb9"
        },
        {
            "path": "package.json",
            "sha256": "fc00212aea1da575d6ae92d3965aeefb16ca688d5075a4da20754361f54731be",
            "tlsh": "09d02e204e226c3320c46fa20caf940629314f3b0200a84c2bd720288baa2726eff218"
        }
    ],
    "package_integrity": [
        {
            "filename": "cerebrum-core-1.1.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-Oxfs8tVzQgDNLcIlhv3dL9v+zDHYHHiMY1cPoVBD3bIrX9oEylvSXmURZIQGtiRplKM0LUf1HLVZbnGOe/e/ug==",
                "sha1": "a87f9adca2aad21fca36ee8a7b6603e9acb968e2"
            }
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cerebrum-core/MAL-2026-4510.json"