MAL-2026-4662
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rendezvous-js/MAL-2026-4662.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4662
- Published
- 2026-05-20T13:17:50Z
- Modified
- 2026-05-26T06:02:53.275566213Z
- Summary
- Malicious code in rendezvous-js (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (5b4a03eaa6b09e5b9e291dd450f58e49a639c3efd8fa952f5ac48f9aea04aba4)
On
npm install(scripts.install runsnode index.js) and onrequire('rendezvous-js'), lib/core.js collectsos.userInfo().username,os.hostname(), and the basename ofprocess.cwd(), then issues a DNS A-record lookup forlwrendezvous.<user>.<host>.<cwd>.<timestamp>.oob.sl4x0.xyz. The query encodes installer host identity into the subdomain so it reaches the attacker's authoritative nameserver — a standard DNS-tunnel exfiltration channel that bypasses HTTP egress filtering. The destination domain (oob.sl4x0.xyz), the imported module names (os,dns,process), and method names (userInfo,hostname,cwd,resolve4) are all stored as decimal char-code arrays in lib/b02e30.js and lib/6ad264.js and decoded at runtime viaString.fromCharCodesolely to hide the channel from review. The README explicitly claims 'No network requests / No file system access', directly contradicting the shipped code. The author emailresearch@sl4x0.xyzmatches the exfil domain, and the beacon prefixlwrendezvousplus generic 'Enterprise Tools Team' authorship are consistent with a typosquat/dependency-confusion lure. Installer harm fires both at install time and at require time without consent. - Database specific
{ "malicious-packages-origins": [ { "import_time": "2026-05-26T05:50:49.505696034Z", "versions": [ "9.9.11" ], "id": "IN-MAL-2026-003542", "sha256": "5b4a03eaa6b09e5b9e291dd450f58e49a639c3efd8fa952f5ac48f9aea04aba4", "modified_time": "2026-05-20T13:17:50Z", "source": "amazon-inspector" }, { "import_time": "2026-05-26T05:50:49.617021274Z", "versions": [ "9.9.11" ], "source": "amazon-inspector", "id": "IN-MAL-2026-003543", "modified_time": "2026-05-20T13:17:51Z", "sha256": "94439c9366c8f8c3ae7ed2b70305f1ea90efca3e5d162868f3453b7237f7a5c5" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / rendezvous-js
Package
- Name
- rendezvous-js
- View open source insights on deps.dev
- Purl
- pkg:npm/rendezvous-js
Database specific
indicators
{
"domains": [
"lwrendezvous.scan.scan2e66d235d0f.rendezvousjs.1779283022.oob.sl4x0.xyz"
],
"evidence_files": [
{
"tlsh": "38014929a393c08f97e096d0361a03d18499c380e7ce80a5fa7c4a87904e7d1cac5a96",
"sha256": "397d1435e7291ed6b02b8627033a110124d250a54290b3a8f9f248573fd6a2d4",
"path": "lib/core.js"
},
{
"tlsh": "f7e068073313c94fa1c80bf77d0050a4aa5e8f5da12dc0d6b61c678910af443c0c0632",
"sha256": "b1541861e4113e791bf6eac343421a0a9b4b763be3369d9b443d37fa7632cb3d",
"path": "lib/b02e30.js"
},
{
"tlsh": "9e216a21ce644d632ac429d4a8a96942f4a3481b4d587c0a73c6913c8fdf2af51ff61d",
"sha256": "557681b9b585b6ef4e04667979a6b5c7d1fef7600276136dc0ab2fff899a4828",
"path": "package.json"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-G/Q7ITUQ8ri9JlUDcOtYYAyEKzOFdmTU/fVzjy2IDsmi+IieElZQz1kKOuVmfPuJemtluLP6y5QQI7JDiYyT2g==",
"sha1": "64e7fdd812188ef46c484f02ced46e1efb3206fc"
},
"filename": "rendezvous-js-9.9.11.tgz"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rendezvous-js/MAL-2026-4662.json"
cwes
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]