MAL-2026-4555
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/events-router/MAL-2026-4555.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4555
- Published
- 2026-05-22T17:03:56Z
- Modified
- 2026-05-26T06:02:31.413891709Z
- Summary
- Malicious code in events-router (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (c5482b17f0abd8f4ae8fed4fa5c53ea035a15b252efec406ae65dfe3365a7412)
events-router@2.1.4 impersonates the
eventsEventEmitter polyfill (README and Travis badge copied verbatim from browserify/events) and ships a multi-stage attacker payload. events.js patches EventEmitter.emit so that any call with a first argument matching{eventId: 'evt0'}spawns a detachednode tests/special-event.min.jschild outside the documented API. tests/special-event.min.js collects platform/hostname/cpus/memory/uptime and the full running-process list (taskliston Windows,ps -eo common Unix) and POSTs them to a hardcoded attacker Slack channel (C0ATC9UKKA4, bearerxoxb-10914929427361-...) and to Telegram bot 8717417715 chat -1003968723972. tests/special.min.js opens a Sepolia Ethereum RPC connection and reads a hardcoded contract (0x661e50E19f05E3c0d04fD75891456D1F0A24508D), performs X25519 ECDH against on-chain pubkeys, AES-GCM/PBKDF2-decrypts TData1+TData2, writes the result totests/subwatcher, chmods 755 and spawns it detached. tests/index.min.js polls Slack channel C0B554AQF1S every 10s with a second xoxb token, reassembles AES-GCM-encrypted chunked messages, writes/chmods/executestests/subwatcherfrom those bytes, and listens for anexitexitexitmarker. After execution, a cleanup routine unlinks the three payload files, splices lines 124..139 out of events.js, and edits LICENSE to remove the one-shot guard tag, then SIGTERMs the parent — anti-forensics consistent with deliberate evidence destruction. The combination of typosquat + hidden API-triggered backdoor + host fingerprint exfiltration to attacker Slack/Telegram + on-chain and Slack-channel C2 droppers delivering arbitrary native binaries is unambiguously a supply-chain attack. - Database specific
{ "malicious-packages-origins": [ { "import_time": "2026-05-26T05:52:12.10225221Z", "sha256": "c5482b17f0abd8f4ae8fed4fa5c53ea035a15b252efec406ae65dfe3365a7412", "id": "IN-MAL-2026-004231", "source": "amazon-inspector", "modified_time": "2026-05-22T17:03:56Z", "versions": [ "2.1.4" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / events-router
Package
- Name
- events-router
- View open source insights on deps.dev
- Purl
- pkg:npm/events-router
Database specific
cwes
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
indicators
{
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-6BWOwRW5JTs58QRhbHVUl+9XJWQ5gkm/evhHf8wXSKAGc7uWT8nnf3shpQoMrGbwNiflkVwHZElaUb4IrvLB3w==",
"sha1": "d4c66f31e1720d0753ef603d02e7c1f9d6ae9f8d"
},
"filename": "events-router-2.1.4.tgz"
}
],
"evidence_files": [
{
"sha256": "1e58c1253d08e0e918b3f9c37b837d4481054ac3705033fc04dea392543c374d",
"tlsh": "fa62208c5be6253212d3e3af3b4f520ab138c1a72018d950794cdbe41f5ac7886f6be5",
"path": "events.js"
},
{
"sha256": "46866b65866e137216281fe724c3811a64feacd33a68206431f332725a230ccf",
"tlsh": "c2220bd076e2bb3503d672f98098aa07c7f95a68454b4564f56ecccb3088884df73bb5",
"path": "tests/special-event.min.js"
},
{
"sha256": "f2bc0acb6279d81fe2d0184a11fe7878f0c509e7c1177f1039241669cb60748c",
"tlsh": "a971f9d0af796b7f16e22423b825350242b48a382b5b1310b21c9a4f77958d15ab3fd8",
"path": "tests/index.min.js"
},
{
"sha256": "38dd776e32fd8d083c6449509cb6ebb1bdbd45e516723fcff637126f3bb484d9",
"tlsh": "c05150af029127672a7d13deff17609efb2640fc70d1a2902c1e4d6d52a21b0826e0ce",
"path": "Readme.md"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/events-router/MAL-2026-4555.json"