MAL-2026-4823

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/msc-terminal/MAL-2026-4823.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4823
Published
2026-05-25T10:04:53Z
Modified
2026-05-27T01:16:38.160523408Z
Summary
Malicious code in msc-terminal (npm)
Details

Part of a multi-package malicious campaign, msc-terminal (npm author nhpkevte1576) carries the same payload as eo-terminal and logger-draft — a fully-featured infostealer and remote access trojan (RAT) deployed via a postinstall hook. All three packages share the same C2 infrastructure and attack chain.

On installation, the postinstall hook copies a large JavaScript agent to a persistent location disguised as MicrosoftSystem64 and registers it as a system service (systemd on Linux, LaunchAgent on macOS, scheduled task or registry run key on Windows). A sandbox check (CPU count and CPU model string) aborts execution in analysis environments. The install process exits cleanly with process.exit(0), leaving no visible error output.

C2 infrastructure: Primary WebSocket/HTTP C2 at ws://195.201.194.107:8010 (Hetzner Cloud, Germany). Stolen data is also exfiltrated to HuggingFace repository yszf984308/system-release via a hardcoded API token.

Capabilities (shared with campaign): - Keylogger — keystroke and password capture with offline queuing - Clipboard harvesting — 1,000 ms polling via platform-native tools - Screenshot capture and live streaming - Browser credential theft — Chromium-family and Firefox profile directories - Crypto wallet exfiltration — 20+ desktop wallets - SSH backdoor — exfiltrates SSH keys and injects attacker RSA public key into authorized_keys - Shell history theft — 15+ history file formats across all user home directories - Environment variable and .env file theft — targets cloud and CI/CD credentials at install time - Telegram session theft — full tdata/ directory exfiltration - Cloud credential theft — AWS, Azure, GCP, Kubernetes, Docker, GnuPG - Recursive filesystem scan — certificate, key, and wallet files uploaded to HuggingFace - Remote command execution and interactive terminal sessions - Self-update via HuggingFace-hosted native binaries


-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (eec05fa3df0248b788635026129e1ca42d37887fe05235f20f2e9ad6f0ad6f27)

Cross-platform infostealer/RAT. postinstall installs obfuscated payload.js as 'MicrosoftSystem64' persistence (schtasks/launchctl/systemd). Keylogger w/ password-field detection, 27-wallet drainer, browser+SSH cred exfil, HuggingFace as covert C2.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "3.2.0"
            ],
            "sha256": "eec05fa3df0248b788635026129e1ca42d37887fe05235f20f2e9ad6f0ad6f27",
            "modified_time": "2026-05-26T15:16:10Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T16:47:31.520541513Z",
            "id": "IN-MAL-2026-004927"
        }
    ]
}
References
Credits

Affected packages

npm / msc-terminal

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.2.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "msc-terminal-3.2.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-1N/IENXxz6o9h59ovcv9gEY17uNKIJamOBfY50Zl7cMN0iMGhTyYZqTc4LR6XDbDRZWAWM9dHaveiO+z9wmg7Q==",
                "sha1": "3bf608454992b27aaf42d8b2b202f9e2c2c852e5"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "f447b007e2d8a315a2fff6c51406334584ab0f3fa66bb3c210df1e9eb1fc6823",
            "path": "payload.js",
            "tlsh": "8c05e740b6c0e5ac238b4fb7b637b0d5d41b0e4e34885b8bd194fc1569a6607eafda34"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/msc-terminal/MAL-2026-4823.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]