MAL-2026-4617
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/n8n-nodes-pentest-rce/MAL-2026-4617.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4617
- Published
- 2026-05-21T00:47:40Z
- Modified
- 2026-05-26T06:02:43.025843458Z
- Summary
- Malicious code in n8n-nodes-pentest-rce (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (2a813bc4a209e75b50151451de1c2a3c4a7e916b181b314416eafc43492b4eb5)
On
npm install, the package'spostinstallscript runs a shell pipeline that reads the Kubernetes service-account token from/var/run/secrets/kubernetes.io/serviceaccount/token(truncated to 200 bytes), the pod namespace file, the first 20 sorted environment variables, and host fingerprinting data (id,hostname,uname -a,ip addr,/etc/os-release,mount,/proc/1/status,/proc/1/cgroup), emitting them between=RCE_START=/=RCE_END=markers. In typical n8n custom-node installation contexts (n8n cloud, CI build pipelines, container-image builds), install-time stdout is captured into build logs accessible to the attacker. The advertised node code indist/PentestNode.node.jsis a no-op (return [this.getInputData()]) andindex.jsexports{}— the package provides no functional value to a consumer; the install-time shell payload is the entire purpose. The package self-identifies as a 'pentest proof of concept' for RCE in its name and description. The exfiltrated K8s SA token grants API access to the cluster the installer runs in, and the env-var dump commonly contains cloud-provider credentials. - Database specific
{ "malicious-packages-origins": [ { "import_time": "2026-05-26T05:51:07.097648671Z", "versions": [ "1.0.35" ], "sha256": "0488febf49bd134aed0fa92236ba8f52af6e870c1aef10556cdcfbfc2056c2e8", "id": "IN-MAL-2026-003690", "source": "amazon-inspector", "modified_time": "2026-05-21T01:30:22Z" }, { "modified_time": "2026-05-21T01:19:30Z", "versions": [ "1.0.31" ], "sha256": "60be575f03918d040794b457c04d31c1de87deb7db96a195136f21281cf4d24a", "id": "IN-MAL-2026-003681", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:06.107587832Z" }, { "modified_time": "2026-05-21T01:01:18Z", "versions": [ "1.0.16" ], "sha256": "a6509bc71ca026b8d09ac760fe5ced4fb027131166c46348097b4bb29fa61f4b", "id": "IN-MAL-2026-003667", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:04.4681289Z" }, { "modified_time": "2026-05-21T01:25:02Z", "versions": [ "1.0.33" ], "sha256": "e4dbdf9fb9e135b09a14f6780e4462cf258a7ce489f8f2103bdaf592b2733eb2", "id": "IN-MAL-2026-003686", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:06.644479921Z" }, { "modified_time": "2026-05-21T01:37:10Z", "versions": [ "1.0.43" ], "sha256": "e681ddff488c0afa1eb87aab6fc8c5adf4efee1c89029046e1b09e9ae23bc789", "id": "IN-MAL-2026-003698", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:08.070633856Z" }, { "modified_time": "2026-05-21T00:47:40Z", "versions": [ "1.0.3" ], "sha256": "f9059cfcb66eba746763d81a547e33b5600fe75c1269ff75d6a52157403151ec", "id": "IN-MAL-2026-003661", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:03.830479043Z" }, { "modified_time": "2026-05-21T01:12:58Z", "versions": [ "1.0.21" ], "sha256": "13ef49a756cfc296c2bc5578b3ab8329ba99a9b0a4502b4fdd9c86a9187a0e6d", "id": "IN-MAL-2026-003676", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:05.443249714Z" }, { "modified_time": "2026-05-21T01:16:17Z", "versions": [ "1.0.32" ], "sha256": "3e5579da454e7d043624efd86c47d8717fe07701c5a2d3beb6c94015386fcf28", "id": "IN-MAL-2026-003680", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:05.943992602Z" }, { "modified_time": "2026-05-21T01:38:37Z", "versions": [ "1.0.44" ], "sha256": "9a0ed01a6aa9c3cdc81804f81910f7090283a8728b9e3e627d09f4a7b41bb7c4", "id": "IN-MAL-2026-003699", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:08.182781836Z" }, { "modified_time": "2026-05-21T01:36:18Z", "versions": [ "1.0.39" ], "sha256": "e681f30e01289823cdbf587cf07a9f23ee0e501825ef76fe59e2cb548d046e8e", "id": "IN-MAL-2026-003697", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:07.961732741Z" }, { "modified_time": "2026-05-21T01:06:11Z", "versions": [ "1.0.11" ], "sha256": "eb91a035358fe17af5a78c1b658a5e68d42d61cd9f2c881e388982016890e51d", "id": "IN-MAL-2026-003669", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:04.668903871Z" }, { "modified_time": "2026-05-21T01:09:11Z", "versions": [ "1.0.41" ], "sha256": "0719289be3acd1ec8a27d373db5a1e9984d9eb52b5b77017c459ffa6046b1dec", "id": "IN-MAL-2026-003674", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:05.221030276Z" }, { "modified_time": "2026-05-21T01:02:18Z", "versions": [ "1.0.7" ], "sha256": "0d84d0655306e0d918ad757c25e5ba8dcdd108f1e19e419dad84b506e3a6d595", "id": "IN-MAL-2026-003668", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:04.571978181Z" }, { "modified_time": "2026-05-21T01:16:02Z", "versions": [ "1.0.28" ], "sha256": "4c6a0572fa8ed19e15941d846286b3e0e89eb65126b57a3e59e471a8270b21dc", "id": "IN-MAL-2026-003679", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:05.810940796Z" }, { "modified_time": "2026-05-21T01:10:06Z", "versions": [ "1.0.36" ], "sha256": "a612a02d7651ed5df93e06620bb17ebd0d9f994773dde779696ba5017fda3ba8", "id": "IN-MAL-2026-003675", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:05.335958595Z" }, { "modified_time": "2026-05-21T01:23:07Z", "versions": [ "1.0.40" ], "sha256": "e7a861b60926034ce75e754ed3dd0ae77a492ddaf53956f57a9baa7ec6808ade", "id": "IN-MAL-2026-003683", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:06.314484632Z" }, { "modified_time": "2026-05-21T01:15:58Z", "versions": [ "1.0.29" ], "sha256": "0bbc888557128dba7e0032db52d7775f931206c90d61fa1277ceca960b7deeeb", "id": "IN-MAL-2026-003678", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:05.650075037Z" }, { "modified_time": "2026-05-21T00:53:22Z", "versions": [ "1.0.0" ], "sha256": "2fdf0c768efc457390a8facb0bd5470f23221e9e14c861fbd02c05d6a12b62c7", "id": "IN-MAL-2026-003665", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:04.263231687Z" }, { "import_time": "2026-05-26T05:51:05.545734349Z", "versions": [ "1.0.19" ], "sha256": "3254c77b88c0f86ff3e1196c92f1d201d7d3953c221da804c0743fae2f75fa34", "id": "IN-MAL-2026-003677", "source": "amazon-inspector", "modified_time": "2026-05-21T01:13:12Z" }, { "modified_time": "2026-05-21T01:34:14Z", "versions": [ "1.0.42" ], "sha256": "568ac0d3ede37787c50defca157735a92dba2ba3e9da10cecc68ca857378186a", "id": "IN-MAL-2026-003695", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:07.750784338Z" }, { "modified_time": "2026-05-21T01:24:17Z", "versions": [ "1.0.30" ], "sha256": "5c88b783d3aae83a833d2b018530ec7e84127eb8dc4978a440c886bc0d9f16cf", "id": "IN-MAL-2026-003685", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:06.546421085Z" }, { "modified_time": "2026-05-21T01:06:26Z", "versions": [ "1.0.15" ], "sha256": "6a5f35198cd0cf35ec78e2ba3f0cd4aa93637d5871b3883b3f3b09010d454e0c", "id": "IN-MAL-2026-003670", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:04.761313226Z" }, { "modified_time": "2026-05-21T01:08:01Z", "versions": [ "1.0.8" ], "sha256": "980aaaaa691abe7b1a03a210c72f6af350b346fee02d1f1974efe4c13aa6e297", "id": "IN-MAL-2026-003673", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:05.122127462Z" }, { "import_time": "2026-05-26T05:51:06.416081933Z", "versions": [ "1.0.38" ], "sha256": "a180a386cdea43b046b780c90a7bd881bf4eb10de44667a5ea7128bb382eef48", "id": "IN-MAL-2026-003684", "source": "amazon-inspector", "modified_time": "2026-05-21T01:23:57Z" }, { "modified_time": "2026-05-21T00:58:08Z", "versions": [ "1.0.1" ], "sha256": "2a813bc4a209e75b50151451de1c2a3c4a7e916b181b314416eafc43492b4eb5", "id": "IN-MAL-2026-003666", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:04.358282759Z" }, { "modified_time": "2026-05-21T01:19:35Z", "versions": [ "1.0.37" ], "sha256": "3120abdc4b5c0be556856910dca5f35512bff8ac46d695a8f18a1311547f38af", "id": "IN-MAL-2026-003682", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:06.202120389Z" } ] }- References
-
- https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.35
- https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.31
- https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.16
- https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.33
- https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.43
- https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.3
- https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.21
- https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.32
- https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.44
- https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.39
- https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.11
- https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.41
- https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.7
- https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.28
- https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.36
- https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.40
- https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.29
- https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.0
- https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.19
- https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.42
- https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.30
- https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.15
- https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.8
- https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.38
- https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.1
- https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.37
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / n8n-nodes-pentest-rce
Package
- Name
- n8n-nodes-pentest-rce
- View open source insights on deps.dev
- Purl
- pkg:npm/n8n-nodes-pentest-rce
Affected versions
1.*
1.0.0
1.0.1
1.0.3
1.0.7
1.0.8
1.0.11
1.0.15
1.0.16
1.0.19
1.0.21
1.0.28
1.0.29
1.0.30
1.0.31
1.0.32
1.0.33
1.0.35
1.0.36
1.0.37
1.0.38
1.0.39
1.0.40
1.0.41
1.0.42
1.0.43
1.0.44
Database specific
indicators
{
"evidence_files": [
{
"sha256": "fd3f685fb1c0257614f7ed6adf841418bec9824b6be984bcb6da755af0389f14",
"tlsh": "9901c2101deb56b467b290906f13956bb076ef07a025e4be774ccf1fae94804c0959ad",
"path": "dist/PentestNode.node.js"
},
{
"sha256": "176af866ce0cac8afe5ca346f90b7067c51b9962a6e6c53569cf0931121f914e",
"tlsh": "a3d0a7294c13461726c845a81c555912b6214e4b918cb814b397542c57dda7644bd24d",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "n8n-nodes-pentest-rce-1.0.35.tgz",
"hashes": {
"sha512_sri": "sha512-GP878YxMaWJN0yvgSQhZjxLT3Y/Hlh97hVL+k1csdz2WJPQiSCKKVhUctiEhHJYby7+NBn0DAOM0bhtIEEO6CA==",
"sha1": "1d6911b51d358d66274321ba406dd761147e1c12"
}
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/n8n-nodes-pentest-rce/MAL-2026-4617.json"