-= Per source details. Do not edit below this line.=-
package.json declares "consolefy": "git+https://github.com/ccndjdjdnnddnd-jpg/sbdrsfhbrfh.git" instead of resolving the legitimate consolefy package from the npm registry. The git URL has no commit SHA, tag, or branch pin, so npm install clones whatever HEAD points to at install time — fully mutable by the owner of that throwaway GitHub account (random-character username, unrelated to the legitimate consolefy publisher). The package's library entry (lib/index.js) transitively loads lib/Classes/Client.js and lib/Classes/CommandHandler.js, both of which require("consolefy") at module top level, so any code the attacker pushes to that repo executes on every installer that requires gehneb. Combined signals: empty description and empty author metadata, short opaque package name, and a Baileys/WhatsApp-bot dependency surface re-published under unrelated branding. The unpinned-attacker-repo override alone provides a silent install-time/require-time RCE channel into the installer's environment.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.1"
],
"sha256": "02811600aba146f33bc2f2a8eeee83d8539bf60398695af9f89b80541bbff971",
"modified_time": "2026-05-25T16:58:10Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-004727",
"import_time": "2026-05-26T05:53:10.065171529Z"
}
]
}{
"package_integrity": [
{
"filename": "gehneb-1.0.1.tgz",
"hashes": {
"sha512_sri": "sha512-/+L0+Tw3LhZVD1TjiQK/HtsEyO+0aRTiI2kdEQTuEUyRYnt+kdmTLP8WcXd8+mAg2dG0+tsqTdwkov5VQ46/bw==",
"sha1": "07ed1506d5ae51d90d5cba133b3ce49c24ba5fda"
}
}
],
"evidence_files": [
{
"sha256": "bbb62eeb56394f9c1c118498fe23a217a70d123bde3009341e77822e675e1f7e",
"path": "package.json",
"tlsh": "c021d024c8149cb305c521fc8dba8642a1bb0a5708acfc1833d9432c4f5d26f34bab7e"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/gehneb/MAL-2026-4570.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]