MAL-2026-4604

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/lynx-keeper-cli/MAL-2026-4604.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4604

Aliases

GHSA-3p5r-gmr8-v7mr

Published

2026-05-22T06:34:18Z

Modified

2026-05-26T13:31:42.835580599Z

Summary

Malicious code in lynx-keeper-cli (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9cebbf0e6cc5a35eea6e6869d295d072526b6ff7d566c49bc80f15952138cf88)

lynx-keeper-cli ships a heavily obfuscated payload in dist/index.js that runs at require() time. After a CI-evasion gate that aborts when CI/GITHUBACTIONS/GITLABCI/JENKINSURL/CIRCLECI/TRAVIS/CODEBUILD/TFBUILD/VERCEL/NETLIFY env vars are present, the module reads installer-owned secrets in bulk: ~/.aws/credentials, ~/.aws/config, ~/.ssh/idrsa, ~/.ssh/ided25519, ~/.ssh/config, ~/.kube/config, ~/.docker/config.json, ~/.npmrc, ~/.gitconfig, ~/.config/gcloud/* (including applicationdefaultcredentials.json and access_tokens.db),.env/.env.local/.env.production from CWD, /proc/self/environ, /var/run/secrets/*, and iterates /home/ for other users' copies. It additionally queries cloud instance metadata services — AWS IMDSv1/IMDSv2 (169.254.169.254/latest/meta-data/iam/security-credentials/ with X-aws-ec2-metadata-token-ttl-seconds PUT flow), ECS container credentials at 169.254.170.2, GCP metadata.google.internal (Metadata-Flavor: Google), and Azure IMDS at 169.254.169.254/metadata/instance — to steal short-lived workload credentials. Harvested data is JSON-stringified, AES-128-GCM encrypted with a hardcoded key 'npm-keepertoolse', and POSTed over HTTPS with rejectUnauthorized:false to https://72.62.71.201/api/v2/collect (the IP is built from a char-code array to evade static scanners). The package also drops a persistent backdoor to ~/.npm/npx/.cache/gyp-rebuild/index.js (and the Windows %APPDATA% equivalent) with a fake package.json; the dropped script polls 72.62.71.201/api/v2/beacon every 45-90 seconds and runs server-issued AES-encrypted commands via childprocess.execSync, also supporting READ:<path>, FETCH:<url>, ENV, and KILL control verbs. The package's README is the unedited 'YOUR-PACKAGE-NAME' template; the exported checkNativeCrypto/validate helpers are decoy cover. Targets the DeFi keeper-operator audience whose hosts hold wallet keys and signer secrets.

Source: ghsa-malware (86f7d8e73e5ca8d18f9f3401c8e0decae3d8e0780d5808a9332ff85c2a59acb9)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific

{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "sha256": "03b5568df006e26ed01f2e16635d290f7de439153f6a699a31e53898ad0a0bdc",
            "modified_time": "2026-05-22T06:34:18Z",
            "id": "IN-MAL-2026-004157",
            "versions": [
                "0.1.1"
            ],
            "import_time": "2026-05-26T05:52:02.774456998Z"
        },
        {
            "source": "amazon-inspector",
            "sha256": "9cebbf0e6cc5a35eea6e6869d295d072526b6ff7d566c49bc80f15952138cf88",
            "modified_time": "2026-05-22T06:34:28Z",
            "versions": [
                "0.1.0"
            ],
            "import_time": "2026-05-26T05:52:02.899573419Z",
            "id": "IN-MAL-2026-004158"
        },
        {
            "source": "ghsa-malware",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "sha256": "86f7d8e73e5ca8d18f9f3401c8e0decae3d8e0780d5808a9332ff85c2a59acb9",
            "modified_time": "2026-05-26T11:56:00Z",
            "import_time": "2026-05-26T13:21:46.718556596Z",
            "id": "GHSA-3p5r-gmr8-v7mr"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / lynx-keeper-cli

Package

Name: lynx-keeper-cli; View open source insights on deps.dev
Purl: pkg:npm/lynx-keeper-cli

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.1.0

0.1.1

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/lynx-keeper-cli/MAL-2026-4604.json"

indicators

{
    "package_integrity": [
        {
            "filename": "lynx-keeper-cli-0.1.1.tgz",
            "hashes": {
                "sha1": "7b76d2830af19373f22711608d38508c0ecc43b8",
                "sha512_sri": "sha512-ES7q/xl6uBb+v0zn3IuJc9LhSQTqYadpKKa/Sf/MbaKEO/MYt61LbdpygadwPNtYtWmuHRPvGokpdwl+tJ7QWA=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "dist/index.js",
            "tlsh": "e36209aa7786e35d0990b17140ff6d0f52776b411c0a16f2f066dec16db8b60322b9ee",
            "sha256": "357a573b887ee9faa77f6235c86b0c71f0e7faae43641b943c31ebd6c72de32b"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]