MAL-2026-4616

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/muaddib-scanner/MAL-2026-4616.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4616

Published

2026-05-25T10:36:48Z

Modified

2026-05-26T06:02:43.020060980Z

Summary

Malicious code in muaddib-scanner (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c8eea5d3ed390c4c82b5bfa89ac220f1d424fcaebe70fe71bbbe3bce66f0f48f)

package.json declares "loadash": "^1.0.0" as a runtime dependency. loadash is a well-known typosquat of lodash and is never required or imported anywhere in this package's source — the dependency is unused by the scanner itself. Every installer of this package pulls loadash@^1.0.0 into their nodemodules transitively, executing whatever code that namesquat ships. The remaining static signals on this package (curl/ping/POST/childprocess/https patterns across src/scanner/, src/ioc/, src/rules/, src/ml/, src/sandbox/) are consistent with the package's stated purpose (a supply-chain security scanner that inspects other packages' lifecycle scripts, fetches package metadata from registry.npmjs.org, and analyzes IOC patterns like curl http://evil.com as data); literal strings like curl http://evil.com and $(whoami) appear as detection rule examples, not as executed commands. The block is on the namespace-abuse vector — a security tool has no legitimate reason to ship an unused typosquat dependency, and installers should not silently acquire it.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "2.11.41"
            ],
            "modified_time": "2026-05-25T10:36:48Z",
            "sha256": "c8eea5d3ed390c4c82b5bfa89ac220f1d424fcaebe70fe71bbbe3bce66f0f48f",
            "id": "IN-MAL-2026-004623",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:58.134368552Z"
        }
    ]
}

References

https://www.npmjs.com/package/muaddib-scanner/v/2.11.41

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / muaddib-scanner

Package

Name: muaddib-scanner; View open source insights on deps.dev
Purl: pkg:npm/muaddib-scanner

Affected ranges

Affected versions

2.*

2.11.41

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "muaddib-scanner-2.11.41.tgz",
            "hashes": {
                "sha512_sri": "sha512-YMs17bAblLr+J90oSRTjC9W3wPvZUMo4VszX+xipOeNxH7tQ66hOkKLgVtU0Nd9f9LZFHisduRqknh1GXKi7Nw==",
                "sha1": "b8978075f3ffe1e173606387552041b9f0714ab8"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "tlsh": "6e31eca1de351d7319c85eda68790143a175990f9d98fc0eb3e9501c4f8d06f00fe5ae",
            "sha256": "d88d58a1b28815d6f5b60ec4fe076188158995c67d883e78461333b2ba1e8fda"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/muaddib-scanner/MAL-2026-4616.json"