MAL-2026-4704

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/veteran-proxy/MAL-2026-4704.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4704

Published

2026-05-21T15:21:38Z

Modified

2026-05-26T06:03:02.702446657Z

Summary

Malicious code in veteran-proxy (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e2528c02db9bcb4016a3347fdfae55c037c0462d6c0d29adb4245605424ad31f)

On npm install, the postinstall hook (node install.js) downloads a platform-specific binary archive from a hardcoded https://your-website.com/downloads/veteran/... URL, extracts it, chmods it 0755, and immediately executes it (execSync("${BIN_PATH}" version)). The README advertises that binaries come from GitHub Releases at github.com/yongjie0203/veteran/releases, but the install script hardcodes your-website.com with a Chinese-language comment instructing the maintainer to replace it with their real download host — the package was published to npm with the placeholder in place. There is no hash or signature verification of the fetched bytes. Whoever registers or already controls your-website.com can ship arbitrary executables to every installer of this package, with full code execution on the installer's machine. Even absent registered malicious intent today, the install path is undefined: the destination domain is not under the publisher's control, the URL is unpinned, and the fetched binary's purpose (advertised as a SOCKS5 proxy) cannot be verified.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-05-26T05:51:29.946997006Z",
            "versions": [
                "1.0.0"
            ],
            "sha256": "b3eb733a784dc5c0ef6bcae90345204241a6b4e504f86e22fee7e66fae22376d",
            "id": "IN-MAL-2026-003876",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T15:23:25Z"
        },
        {
            "modified_time": "2026-05-21T15:21:38Z",
            "versions": [
                "1.0.0"
            ],
            "sha256": "e2528c02db9bcb4016a3347fdfae55c037c0462d6c0d29adb4245605424ad31f",
            "id": "IN-MAL-2026-003875",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:29.843670511Z"
        }
    ]
}

References

https://www.npmjs.com/package/veteran-proxy/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / veteran-proxy

Package

Name: veteran-proxy; View open source insights on deps.dev
Purl: pkg:npm/veteran-proxy

Affected ranges

Affected versions

1.*

1.0.0

Database specific

indicators

{
    "domains": [
        "your-website.com"
    ],
    "evidence_files": [
        {
            "sha256": "019fd9b9d08f3df3fe2b5d79dc3157452c8551aa62550beb39837672a2ad0fa6",
            "tlsh": "21d165c959f3923146b351de574f2016b22b80032509da5cbaad83587fa3f64c5a2bff",
            "path": "install.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-ZDxRP7sLaBoGHbO1SSCL/+RZzvsahvRPCRdZQlI+/3ZkPfxW1f/tdNkhxOSMhU+jxD84uBiFjW1JP/q8S9bgkQ==",
                "sha1": "87fe450cded3ddd2d9dfcc5c0a3a120418f51d57"
            },
            "filename": "veteran-proxy-1.0.0.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/veteran-proxy/MAL-2026-4704.json"