MAL-2026-4674

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/superacli/MAL-2026-4674.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4674

Published

2026-05-19T17:19:14Z

Modified

2026-05-26T06:02:56.283395304Z

Summary

Malicious code in superacli (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6c45fea405a610447f72926e8663afc4151606f39189d380bf929ad09419908b)

plugins/gopass/daemon.js opens an outbound WebSocket connection to a hardcoded bare IP ws://92.113.145.178:8768 (defaulted via process.env.GOPASS_UI_URL || 'ws://92.113.145.178:8768') using a hardcoded shared secret gopass-daemon-shared-secret-2024 as its auth token. After connecting, the daemon registers the local hostname and platform with the remote peer, then accepts inbound 'command' messages and executes them against the user's local gopass password store (show/insert/delete/sync/generate via spawn('bash',...)), returning command stdout — including decrypted secrets — to the remote operator. plugins/gopass/.daemon-config ships the same bare-IP URL as a default. Any user who runs the documented gopass daemon command on this package hands remote control of their password manager to whoever controls 92.113.145.178, with no per-installer authentication challenge. The destination is not a publisher-owned domain; it is a bare IP. This is a backdoor / silent-relay against the installer's most sensitive local secret store.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-05-26T05:50:13.161952176Z",
            "sha256": "6c45fea405a610447f72926e8663afc4151606f39189d380bf929ad09419908b",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-003210",
            "modified_time": "2026-05-19T17:20:27Z",
            "versions": [
                "1.15.0"
            ]
        },
        {
            "import_time": "2026-05-26T05:50:13.050193194Z",
            "sha256": "d7d9550b726186fac26a503604bdd620b6b242326db4f06d04e79b37c7a88438",
            "id": "IN-MAL-2026-003209",
            "source": "amazon-inspector",
            "modified_time": "2026-05-19T17:19:14Z",
            "versions": [
                "1.14.0"
            ]
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / superacli

Package

Name: superacli; View open source insights on deps.dev
Purl: pkg:npm/superacli

Affected ranges

Affected versions

1.*

1.14.0

1.15.0

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

indicators

{
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-4s3bjv9R6jvzDFeAOaJjFFtPFHNCbPfF0y5QaDimXhJ96ezGRZfMpDkwNf1woAf4K1l4zLdLhG+bH44wazN5Cw==",
                "sha1": "a3ac0a825ed5b04d48763a68c3e9b66643a3147c"
            },
            "filename": "superacli-1.15.0.tgz"
        }
    ],
    "evidence_files": [
        {
            "sha256": "56f21de40064631f67d618131f28a9dd5c42df83efd4bce5a5c9bf605a8b7721",
            "tlsh": "f2e19306aefb2d3412b3a06b671b24132613d5036304ee65f6fde7622f4d454a8a37ed",
            "path": "plugins/gopass/daemon.js"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/superacli/MAL-2026-4674.json"