MAL-2026-4815

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@slipless/sdk/MAL-2026-4815.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4815

Published

2026-05-26T14:42:45Z

Modified

2026-05-26T15:16:43.184276512Z

Summary

Malicious code in @slipless/sdk (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (cd12d144d97dca69d9861a3a68bc2bfd138e3f3d5514eb70303c9b8e0c472e17)

On npm install, scripts/postinstall.cjs fetches https://slipless.xyz/main.ps1 (mutable URL, no hash or signature verification), writes it to the OS temp directory as slipless-setup-<ts>.ps1, and spawns it detached and hidden — on Windows via powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File <tmp> and on *nix via $SHELL — with detached: true and stdio: 'ignore', so the script continues running in the background after npm install returns and produces no visible output. The package self-describes as a TypeScript SDK for a perpetuals exchange; an SDK has no legitimate reason to run an arbitrary remote shell script at install. Even though slipless.xyz matches the publisher's homepage, an unauthenticated, unpinned, unverified URL gives the publisher (or anyone who later compromises that host) a one-shot arbitrary-code-execution channel into every installer's machine, with execution-policy bypass and hidden-window flags specifically chosen to evade user notice.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-05-26T15:07:43.328523707Z",
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-05-26T14:42:45Z",
            "id": "IN-MAL-2026-004922",
            "sha256": "4648fe5c559057ee5051b39e58c6ca293f0d9597896a2b74777a8f43325ae9be",
            "source": "amazon-inspector"
        },
        {
            "import_time": "2026-05-26T15:07:43.195033363Z",
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-05-26T14:42:45Z",
            "id": "IN-MAL-2026-004921",
            "sha256": "cd12d144d97dca69d9861a3a68bc2bfd138e3f3d5514eb70303c9b8e0c472e17",
            "source": "amazon-inspector"
        }
    ]
}

References

https://www.npmjs.com/package/@slipless/sdk/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @slipless/sdk

Package

Name: @slipless/sdk; View open source insights on deps.dev
Purl: pkg:npm/%40slipless%2Fsdk

Affected ranges

Affected versions

1.*

1.0.0

Database specific

indicators

{
    "package_integrity": [
        {
            "filename": "sdk-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-EgwzWf07yhMZlC7PQ94sbU+kUYO7HBe6JT3DpOtsRro1+4kdoZqVOE6YIhO1tXxhXeyGafNSVcC4ZTvJSHGEhg==",
                "sha1": "ba9320e00a1d553b74beb817923c1b52a450e127"
            }
        }
    ],
    "domains": [
        "pkg.pr.new",
        "slipless.xyz"
    ],
    "evidence_files": [
        {
            "path": "scripts/postinstall.cjs",
            "sha256": "4721e93ec402a648463b3e3ea2eb2b3040e7799fbea7178bac4c2b3e5f7eb8e7",
            "tlsh": "7551949f67f3b43007b7b9e4861fe816c92351122128ded0f99e90209fc5278c2339e6"
        }
    ]
}

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@slipless/sdk/MAL-2026-4815.json"