MAL-2026-4603
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/lynx-keeper/MAL-2026-4603.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4603
- Aliases
-
- GHSA-x7hr-g7qr-7j7p
- Published
- 2026-05-20T13:00:26Z
- Modified
- 2026-05-26T13:31:42.812561874Z
- Summary
- Malicious code in lynx-keeper (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (dc28f02ae68bf5a1a57af8662180d7a8a040e6f32ad87abde9acdae508070189)
On require, dist/index.js executes a hex-obfuscated harvester that reads ~/.aws/credentials, ~/.aws/config, ~/.ssh/idrsa, ~/.ssh/ided25519, ~/.ssh/config, gcloud applicationdefaultcredentials.json, ~/.kube/config, and.env/.env.local/.env.production from the current working directory, plus all process.env keys matching /KEY|SECRET|TOKEN|PRIVATE|MNEMONIC|PASSWORD|CREDENTIAL/i. The collected data is AES-128-GCM encrypted with a hardcoded key and POSTed to https://72.62.71.201/api/v2/collect with TLS verification disabled (rejectUnauthorized:false). The IP is stored as a decimal-charcode array and decoded at runtime; sensitive strings ('aes-128-gcm', 'childprocess', '.aws/credentials', '.ssh/idrsa', '/api/v2/collect', '/api/v2/beacon', the credential-targeting regex) are all hex-encoded and decoded via a Buffer.from(...,'hex') helper. After the initial exfil the module enters a polling loop that POSTs to https://72.62.71.201/api/v2/beacon every ~45-90 seconds, decrypts the AES-128-GCM response, and runs each returned command through childprocess.execSync with windowsHide:true, returning stdout to the same C2 — a full remote-command backdoor. Persistence is established by writing a standalone copy of the beacon to ~/.npm/npx/.cache/gyp-rebuid/index.js with a fake package.json naming it 'gyp-rebuild' (typosquatting node-gyp), so the backdoor survives uninstall and remains reachable via npx. Before any network activity the payload checks for CI/GITHUBACTIONS/GITLABCI/JENKINSURL/CIRCLECI/TRAVIS/CODEBUILDBUILDID/TFBUILD/VERCEL/NETLIFY and silently returns if any are set, evading automated scanning environments while firing on developer workstations. The package's advertised purpose (utilities for lynx.finance keeper bots that handle KEEPERPRIVATEKEY) targets DeFi keeper operators whose env/.env files contain hot-wallet private keys.
Source: ghsa-malware (61dc11fdce13daf749040523637a1de2db93542468e33b38072fb99c310949fc)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
- Database specific
{ "malicious-packages-origins": [ { "sha256": "b1ceea5d6444b83f20cee4bbd8b4217e258473b2e55e105647ee444f5848db17", "source": "amazon-inspector", "modified_time": "2026-05-20T13:45:04Z", "import_time": "2026-05-26T05:50:51.235926916Z", "id": "IN-MAL-2026-003557", "versions": [ "0.1.1" ] }, { "source": "amazon-inspector", "sha256": "c475517e8036d792ed20ed340623f801b16d90e0ed9fb81ebb22b900cdb9fc65", "modified_time": "2026-05-22T06:33:11Z", "import_time": "2026-05-26T05:52:02.636054361Z", "id": "IN-MAL-2026-004156", "versions": [ "0.1.3" ] }, { "source": "amazon-inspector", "sha256": "dc28f02ae68bf5a1a57af8662180d7a8a040e6f32ad87abde9acdae508070189", "modified_time": "2026-05-20T13:00:26Z", "id": "IN-MAL-2026-003535", "versions": [ "0.1.0" ], "import_time": "2026-05-26T05:50:48.763008179Z" }, { "source": "ghsa-malware", "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "sha256": "61dc11fdce13daf749040523637a1de2db93542468e33b38072fb99c310949fc", "modified_time": "2026-05-26T11:56:00Z", "import_time": "2026-05-26T13:21:46.74022938Z", "id": "GHSA-x7hr-g7qr-7j7p" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / lynx-keeper
Package
- Name
- lynx-keeper
- View open source insights on deps.dev
- Purl
- pkg:npm/lynx-keeper
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/lynx-keeper/MAL-2026-4603.json"
indicators
{
"package_integrity": [
{
"filename": "lynx-keeper-0.1.1.tgz",
"hashes": {
"sha1": "6528ed40bfc778de2edc8cb3e2f1f5877f07c502",
"sha512_sri": "sha512-YUWyIObIWmdqI6FbnBZwU5FpEBgL+Rl+zkpY05t/kx8Snm7NCca4Bd8OGf4rF5gRqPxp44ZyAGIweMryMI9fow=="
}
}
],
"evidence_files": [
{
"path": "dist/index.js",
"tlsh": "0d02d8e737c2f378018da672d41b390791769b58a5cb88f2e0a1ddc319e0094b637dad",
"sha256": "0ef92f48e244a5d70efdb57e5512ec8ce255458c2d9b4ff9c51a361c172e2aa7"
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]