MAL-2026-4697

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/twokey/MAL-2026-4697.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4697

Published

2026-05-24T08:52:15Z

Modified

2026-05-26T06:02:59.533191407Z

Summary

Malicious code in twokey (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (20c6d8e22fd03dd5ff39bac81bcbffd05db3b2a08dcf9768332094ffcca4eebd)

The package's postinstall hook unconditionally executes node bin/twokey.js --desktop --enable-autostart, which performs three install-time actions without prompting the installer: (1) fetches https://api.github.com/repos/meinzeug/twokey/releases/latest, downloads the resulting AppImage to ~/.local/share/twokey/bin/twokey-ai.AppImage, chmods it 0755, and spawns it detached with stdio ignored — the URL is the mutable 'latest' endpoint, not pinned to the npm package version, and no hash or signature verification is performed; (2) writes ~/.config/systemd/user/twokey.service and runs systemctl --user daemon-reload && systemctl --user enable twokey.service so the auto-downloaded AppImage runs on every boot; (3) when invoked via sudo, re-spawns itself as the original user via sudo -u $SUDO_USER -H node bin/twokey.js --desktop --enable-autostart with XDG_RUNTIME_DIR and DBUS_SESSION_BUS_ADDRESS injected, extending the install footprint into the desktop user's session. The destination repo matches the publisher and the binary is consistent with the package's stated Tauri-desktop purpose, but the combination of mutable-URL fetch + no integrity check + silent execution + persistence install means the installer receives, executes, and persistently autostarts whatever bytes the releases/latest pointer resolves to at install time — fully decoupled from the npm version they thought they vetted.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-05-26T05:52:41.126281306Z",
            "versions": [
                "1.0.11"
            ],
            "id": "IN-MAL-2026-004481",
            "sha256": "20c6d8e22fd03dd5ff39bac81bcbffd05db3b2a08dcf9768332094ffcca4eebd",
            "modified_time": "2026-05-24T09:38:06Z",
            "source": "amazon-inspector"
        },
        {
            "import_time": "2026-05-26T05:52:40.821728169Z",
            "versions": [
                "1.0.8"
            ],
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-004478",
            "modified_time": "2026-05-24T09:21:05Z",
            "sha256": "3e99c99c6d68f67dc08105da452c97c94c708001192919dea62ce0e4a3a26559"
        },
        {
            "import_time": "2026-05-26T05:52:40.044021753Z",
            "versions": [
                "1.0.5"
            ],
            "id": "IN-MAL-2026-004472",
            "sha256": "5314d8f5cb1c73de1c6efffd1b055957a8f2dc78b1ea828a1c841eedd78a2a82",
            "modified_time": "2026-05-24T08:52:15Z",
            "source": "amazon-inspector"
        },
        {
            "import_time": "2026-05-26T05:52:41.233142408Z",
            "versions": [
                "1.0.11"
            ],
            "id": "IN-MAL-2026-004482",
            "sha256": "891e263399578e7ba6449fbd625f70eb93a3a6a4aa4d5cf05ad8db29bfa2292a",
            "modified_time": "2026-05-24T09:38:06Z",
            "source": "amazon-inspector"
        },
        {
            "import_time": "2026-05-26T05:52:40.91560592Z",
            "versions": [
                "1.0.10"
            ],
            "sha256": "8eeb0ae7f4d322804acf874ab171cb8eb3c46327808556a80efcacafd61e343e",
            "source": "amazon-inspector",
            "modified_time": "2026-05-24T09:32:54Z",
            "id": "IN-MAL-2026-004479"
        },
        {
            "import_time": "2026-05-26T05:52:41.031674581Z",
            "versions": [
                "1.0.10"
            ],
            "id": "IN-MAL-2026-004480",
            "sha256": "b517a8d7e82e030754a6f3e8796c273f94948d0f787427f41c10f06ac5f61d0c",
            "modified_time": "2026-05-24T09:32:55Z",
            "source": "amazon-inspector"
        },
        {
            "import_time": "2026-05-26T05:52:40.589884455Z",
            "versions": [
                "1.0.7"
            ],
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-004476",
            "modified_time": "2026-05-24T09:17:58Z",
            "sha256": "40cc2b8b94b9497167993e2354800704b2d225bee157273eff906252edb889d4"
        },
        {
            "import_time": "2026-05-26T05:52:40.446342943Z",
            "versions": [
                "1.0.7"
            ],
            "id": "IN-MAL-2026-004475",
            "sha256": "884f25147369c250f3aae797c9d71a5a61d877dff3a23ad1fbf21ae8de0054c5",
            "modified_time": "2026-05-24T09:17:57Z",
            "source": "amazon-inspector"
        },
        {
            "import_time": "2026-05-26T05:52:40.695000228Z",
            "versions": [
                "1.0.8"
            ],
            "sha256": "9d008afe51df3700da0e0a4c85d7c8e43aa4404076d4f4ef05c1956c220938aa",
            "source": "amazon-inspector",
            "modified_time": "2026-05-24T09:21:04Z",
            "id": "IN-MAL-2026-004477"
        },
        {
            "import_time": "2026-05-26T05:52:40.181561725Z",
            "versions": [
                "1.0.5"
            ],
            "id": "IN-MAL-2026-004473",
            "sha256": "b186d392146b1d8ce3460080cc7889794fc0b9535f7af8c601b69d2a6c5009db",
            "modified_time": "2026-05-24T08:52:42Z",
            "source": "amazon-inspector"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / twokey

Package

Name: twokey; View open source insights on deps.dev
Purl: pkg:npm/twokey

Affected ranges

Affected versions

1.*

1.0.5

1.0.7

1.0.8

1.0.10

1.0.11

Database specific

indicators

{
    "domains": [
        "api.github.com"
    ],
    "evidence_files": [
        {
            "tlsh": "a941502dd0e7042403f092ba600bd82a2df940022756d9a0b6fc4a75bfc913ca1f25de",
            "sha256": "b88eba0a4eff557f8a2561c98def8e742b5b578af39d7a8f893472a05f83beb2",
            "path": "bin/postinstall.js"
        },
        {
            "tlsh": "0932a30a99f7253101b320685a6fa4037158db032a98de51b7fc4250bfd573d8abbbed",
            "sha256": "a43851b12acde1d243c4e34bf53095c6ac75f24c231b37bf6348bca4ae366f41",
            "path": "bin/twokey.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-NXX0zygD8A4HtoQkEqVielg7OHjli3MpJFU4oG424u2WfnoZpTdwBqr1wfcAtTjECrDYHp1dFUVhetP1As7kbA==",
                "sha1": "1ba98c61dd4c9af294fb4ce99e9611e46d1f0291"
            },
            "filename": "twokey-1.0.11.tgz"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/twokey/MAL-2026-4697.json"

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]