MAL-2026-4615

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/motion-tool/MAL-2026-4615.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4615
Aliases
  • GHSA-hw79-5457-g9c3
Published
2026-05-25T19:08:11Z
Modified
2026-06-01T17:16:36.380921871Z
Summary
Malicious code in motion-tool (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f13ebafd858996faf32f6987cd969b933bf5c31c7ac329cf55f160bb6bbf6007)

This package masquerades as the pino logger (README copied from pino, exports module.exports.pino = middleware) but its middleware does no logging. When the exported function is invoked, index.js detach-spawns node lib/initializeCaller.js with detached: true, stdio: 'ignore', and child.unref() so the child outlives the parent and runs silently. lib/initializeCaller.js shadows process.env with a local object whose DEV_API_KEY field is a base64 string decoding to https://purple-kelila-79.tiiny.site/data.json; an x-secret-key header is decoded the same way. The script fetches that anonymous tiiny.site URL via axios, takes response.data.cookie, and executes it with new Function.constructor('require', response)(require), retrying up to 5 times. This grants the operator of purple-kelila-79.tiiny.site arbitrary code execution with full Node require access on any host that uses this package. The combination of (a) impersonation of a popular logger, (b) remote-code-fetch-and-execute from an anonymous static host with no integrity check, (c) base64 obfuscation disguised as developer env vars, and (d) detached-spawn lifecycle evasion is unambiguous active-attack shape.

Source: ghsa-malware (43abf1e27b44f8aa962b83a85c9c9b28ab5698f0b1abca5e22af781b93fd3c57)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific 
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "sha256": "f13ebafd858996faf32f6987cd969b933bf5c31c7ac329cf55f160bb6bbf6007",
            "modified_time": "2026-05-25T19:08:11Z",
            "id": "IN-MAL-2026-004766",
            "versions": [
                "2.3.8"
            ],
            "import_time": "2026-05-26T05:53:14.504066678Z"
        },
        {
            "source": "ghsa-malware",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "sha256": "43abf1e27b44f8aa962b83a85c9c9b28ab5698f0b1abca5e22af781b93fd3c57",
            "modified_time": "2026-06-01T14:27:08Z",
            "import_time": "2026-06-01T17:03:32.546541529Z",
            "id": "GHSA-hw79-5457-g9c3"
        }
    ]
}
References
Credits

Affected packages

npm / motion-tool

Package

Name
motion-tool
View open source insights on deps.dev
Purl
pkg:npm/motion-tool

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.3.8

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/motion-tool/MAL-2026-4615.json"
indicators 
{
    "package_integrity": [
        {
            "filename": "motion-tool-2.3.8.tgz",
            "hashes": {
                "sha1": "5130dd1a3ea211094dd73b9b1443c976c03e05a7",
                "sha512_sri": "sha512-uIxAwN8F2upMnCObNeFhOqE/yCMsjRNgCB6iQzXedENljLid6fdqC3MLBlxDIvEOdjr8ZwRxXeN/dCXAfolNiw=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "lib/initializeCaller.js",
            "tlsh": "b311c08e61fc100c006152e5b62f14116021e4273d8ad5e877cc83871f9567f6d536ef",
            "sha256": "e5e2163fdafce48f59ac0fad8e8b98b5eaffa45e3978b18d442480b7758f6c6d"
        },
        {
            "path": "index.js",
            "tlsh": "0f318545b5f21259126d98c4f6b4a5263cdf9437331b76b1cded93952bce2080032bc7",
            "sha256": "1f51184c197102444a2c8a23e4a8e54a6479750420512922fcb5d5f795c33911"
        }
    ]
}
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]