MAL-2026-4703
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/veteran/MAL-2026-4703.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4703
- Published
- 2026-05-21T16:28:03Z
- Modified
- 2026-05-26T06:03:02.783582371Z
- Summary
- Malicious code in veteran (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (70a20dd9f8d6a9df01d766c25693711d90e4303e3c68fa371f0b842f83c485b4)
On
npm install, the package's postinstall hook (install.js, registered viapackage.jsonline 10"postinstall": "node install.js") downloads a platform-specific executable fromhttps://laogou.us/download/veteran/v1.0.0/veteran_1.0.0_<platform>_<arch>.{tar.gz,zip}(install.js:13const DOWNLOAD_BASE_URL = 'https://laogou.us/download/veteran'), extracts it via shelltar/unzip,chmod 0o755s it (install.js:165), and immediately executes it (install.js:170execSync("${BIN_PATH}" version",...)). The download hostlaogou.usdoes not match the package's declared publisher/homepage (github.com/yongjie0203/veteran); the URL is not version-pinned to a hash or signature; no checksum or signature verification is performed on the fetched bytes; and source comments suggest the URL is meant to be swapped by future maintainers. The operator oflaogou.uscan therefore serve arbitrary native code to every installer, with the bytes executed under the installer's user onnpm install. This matches the publisher-mismatched, unverified, mutable-host dropper pattern. - Database specific
{ "malicious-packages-origins": [ { "modified_time": "2026-05-22T12:08:42Z", "versions": [ "1.0.5" ], "sha256": "2090d10d814f7a007b22aef6b4a02f936d6aa7c4d6aa3e33119cb4790b7a1cc7", "id": "IN-MAL-2026-004199", "source": "amazon-inspector", "import_time": "2026-05-26T05:52:07.751401281Z" }, { "modified_time": "2026-05-21T16:28:04Z", "versions": [ "1.0.3" ], "sha256": "32d36199543a5734d26e7afa06931d745a1bc1e45b6e381cf0b6de00569bec33", "id": "IN-MAL-2026-003903", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:32.946530679Z" }, { "modified_time": "2026-05-21T16:28:03Z", "versions": [ "1.0.3" ], "sha256": "70a20dd9f8d6a9df01d766c25693711d90e4303e3c68fa371f0b842f83c485b4", "id": "IN-MAL-2026-003902", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:32.837610855Z" }, { "modified_time": "2026-05-22T12:08:42Z", "versions": [ "1.0.5" ], "sha256": "8a0b963f374ca64c5f3c294b3479ec208aa4c4fd28e2fcc536f0a40f46589fe4", "id": "IN-MAL-2026-004200", "source": "amazon-inspector", "import_time": "2026-05-26T05:52:07.866508734Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / veteran
Package
- Name
- veteran
- View open source insights on deps.dev
- Purl
- pkg:npm/veteran
Database specific
indicators
{
"evidence_files": [
{
"sha256": "3426e013b778c090d500dd32edb24ebd51bc8a508c0a34d2b8ac42a5d5fe2e67",
"tlsh": "d9d176c95af3923147b3519a574b2412722b80132509da9c7aad83587fa2f64c1a27ff",
"path": "install.js"
}
],
"domains": [
"laogou.us"
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-CvuPok1uJTY3yRHpvfTqlEcgSiSrNZV1PklJRMs74My+NjL/zTO1wXU5t5xzm2V2CXmJaIwVNtEBtj8qdSMiSQ==",
"sha1": "0052d8a2de42bc9f2899a68e58c9891116c1e26f"
},
"filename": "veteran-1.0.5.tgz"
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/veteran/MAL-2026-4703.json"