MAL-2026-4778

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/1cat-tunnel-client-zx/MAL-2026-4778.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4778

Published

2026-05-26T06:10:33Z

Modified

2026-05-26T09:31:44.607108430Z

Summary

Malicious code in 1cat-tunnel-client-zx (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (796f1b18c13a38088b4e48d75575eb92b23af5d91cdfaf6a82717f0fabbc7a79)

On npm install, the package's postinstall hook (node install.js) fetches a platform-specific executable from http://156.226.174.161:8888/binaries/tunnel-client-* over plaintext HTTP, writes it to the package's bin/ directory, and chmod 0755s it. The download URL is hardcoded to a bare IP address, uses cleartext HTTP (no TLS), is not pinned to a version, and the fetched bytes are never hash- or signature-verified before being made executable. The cli.js fallback performs the same unverified download on first CLI invocation if the binary is missing. Any on-path network attacker between the installer and 156.226.174.161 — or any future operator of that IP — can substitute arbitrary native code that will then run on the installer's machine. The destination is not a known runtime CDN, not the package publisher's own infrastructure, and the package's stated purpose (a tunnel client) does not justify forgoing TLS or integrity verification. Separately, the README ships plaintext admin credentials for the author's own tunnel server, which is author self-harm and not the basis for this block.

Database specific

{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "sha256": "616be417e8ec33626ef98fe1056bfbd52142e3c44ed4e3158ca5f58ae7cf7331",
            "modified_time": "2026-05-26T06:10:33Z",
            "versions": [
                "1.0.2"
            ],
            "import_time": "2026-05-26T06:26:13.484100154Z",
            "id": "IN-MAL-2026-004846"
        },
        {
            "source": "amazon-inspector",
            "sha256": "796f1b18c13a38088b4e48d75575eb92b23af5d91cdfaf6a82717f0fabbc7a79",
            "modified_time": "2026-05-26T07:54:58Z",
            "import_time": "2026-05-26T09:17:31.501395946Z",
            "id": "IN-MAL-2026-004863",
            "versions": [
                "1.0.3"
            ]
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / 1cat-tunnel-client-zx

Package

Name: 1cat-tunnel-client-zx; View open source insights on deps.dev
Purl: pkg:npm/1cat-tunnel-client-zx

Affected ranges

Affected versions

1.*

1.0.2

1.0.3

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/1cat-tunnel-client-zx/MAL-2026-4778.json"

indicators

{
    "package_integrity": [
        {
            "filename": "1cat-tunnel-client-zx-1.0.2.tgz",
            "hashes": {
                "sha1": "9cb87e00be613348faf50b7541aa6d5b0b57b052",
                "sha512_sri": "sha512-/5qY16ulHM95Nwp9wO8upfc+Zq6Uupus+T7VBaf3runxhMs5OsMfYisrEZCM0eKCyAIt9nRtNSMr41MBgwubVg=="
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "9619f11d60eed2b1b2240b229177f7b367481a9559e77ebb826bbfff8165c7cd",
            "tlsh": "095133c909f29038d572a6c58b9f6909f0338813b60bfe48f59c074d1f919589587afe",
            "path": "install.js"
        },
        {
            "path": "README.md",
            "tlsh": "812174d8cfa154d2aea3aaa043ca665bc1340613a06bb80c37fb1b55ea04927049f5c2",
            "sha256": "3644ad6ca7036875637a44827932ed6e0b5e46813a9737bb40f5a54bcf814d43"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]