MAL-2026-4653

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/qaq-core-util-v2/MAL-2026-4653.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4653

Published

2026-05-22T06:27:13Z

Modified

2026-05-26T06:02:51.429889286Z

Summary

Malicious code in qaq-core-util-v2 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (41cf368bbc06ee2a9e0d2a9b2030d7604a41af7ed5fed253d48a0d9ff41f92f6)

lib/memcached.js exports getCacheRedis, getCacheDataRedis, and setCacheRedis. Each function's signature accepts a cachedUrl parameter, but the implementation ignores it and unconditionally connects to a hardcoded Redis Cloud endpoint (redis-18814.c245.us-east-1-3.ec2.redns.redis-cloud.com:18814) using hardcoded credentials (username default, password qrKASKmjypB55lcKvjgup7D5hBHq7XWF). Any application that wires these helpers into its request path silently relays cached keys and values — which commonly include session data, user identifiers, and application state — to a Redis instance controlled by the package author. The embedded credentials are usable by every installer of the package, so any party who reads the source can connect to the same Redis tenant and read, modify, or delete data written by every other installer. A separate concern in lib/validated.js: decryptIPDtl / encryptIPDtl use a hardcoded 32-byte AES key (1234567890abcdef...), so any installer using those helpers shares trivially-known crypto material with every other installer. The shipped .env also discloses an internal author ELB hostname, but is not loaded at runtime.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-05-26T05:52:01.990213823Z",
            "versions": [
                "1.1.68"
            ],
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-004150",
            "modified_time": "2026-05-22T06:27:13Z",
            "sha256": "41cf368bbc06ee2a9e0d2a9b2030d7604a41af7ed5fed253d48a0d9ff41f92f6"
        }
    ]
}

References

https://www.npmjs.com/package/qaq-core-util-v2/v/1.1.68

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / qaq-core-util-v2

Package

Name: qaq-core-util-v2; View open source insights on deps.dev
Purl: pkg:npm/qaq-core-util-v2

Affected ranges

Affected versions

1.*

1.1.68

Database specific

indicators

{
    "evidence_files": [
        {
            "tlsh": "65a111047d51e9733977b396c71bf168f168862b521bba11b68e82c81f3f0114749fea",
            "sha256": "aacc1821f4d1adc6149d388dd0ddccf8ecb6df2df68266fa8de78f21bc429aa7",
            "path": "lib/memcached.js"
        },
        {
            "tlsh": "efa275488c192ca40cb7f36d93aed424ed9a611b320ba709799d97941f39c2453edfec",
            "sha256": "260bace781340f13eeb86aaf1ea3e1b39b0dae3b1155e67dc677d025d0814ecf",
            "path": "lib/validated.js"
        },
        {
            "tlsh": "38a012088d8a41109102066835901175e245b030335c43dc801398820150104120c010",
            "sha256": "313fa1a821502f2982a872be91b01de36dc47a03d33692fb90e7c82021a723cf",
            "path": ".env"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-lNWtCZoSy89beepdxX8IWLT3imOV0sNc+0Xa4Qm7bQaUe0zewoJjtCdtDvBi9/k9lBPt9HDniCI28lZ1lzudJg==",
                "sha1": "44a88a1e93f977efd46741fe2bb8c80da8678f01"
            },
            "filename": "qaq-core-util-v2-1.1.68.tgz"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/qaq-core-util-v2/MAL-2026-4653.json"

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]