MAL-2026-5364

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cms-store-ren/MAL-2026-5364.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5364
Published
2026-06-04T12:05:39Z
Modified
2026-06-11T05:46:34.218995352Z
Summary
Malicious code in cms-store-ren (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (da3593e36ce898d648883ea6f911a5cec1f75f9e8bda5585f7ff5f8754c821de)

The package's scripts.install runs install.js on every npm install. The script unconditionally POSTs the installer's hostname, OS, and architecture to api.telegram.org using a hardcoded bot token and chat ID (install.js:7 BOT_TOKEN = '8877182499:...', install.js:50-56 builds the message and sends via sendTelegramMessage()). On Windows, the same script writes a hidden PowerShell bootstrapper that installs Scoop/Winget and Deno, then executes deno -A http://77.90.185.225/deee80f30a6921b4.js — fetching an arbitrary JavaScript payload from a bare-IP HTTP URL and running it with all Deno permissions under a hidden PowerShell window. The package has no legitimate functionality (index.js only logs a string; placeholder author work1, description cms install) and exists solely to deliver the install-time payload. Both install-time host reconnaissance exfiltration and install-time arbitrary remote code execution from attacker infrastructure are present.

Source: ossf-package-analysis (1e0e43b074cffbde07a16c0b1ae1645b1edebcfa7fe192f6161237b0f011952d)

The OpenSSF Package Analysis project identified 'cms-store-ren' @ 1.1.1 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.
Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.1.1"
            ],
            "sha256": "1e0e43b074cffbde07a16c0b1ae1645b1edebcfa7fe192f6161237b0f011952d",
            "source": "ossf-package-analysis",
            "modified_time": "2026-06-04T12:05:39Z",
            "import_time": "2026-06-09T12:03:46.983784168Z"
        },
        {
            "versions": [
                "1.1.1"
            ],
            "sha256": "da3593e36ce898d648883ea6f911a5cec1f75f9e8bda5585f7ff5f8754c821de",
            "modified_time": "2026-06-11T05:10:25Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-11T05:41:05.954798755Z",
            "id": "IN-MAL-2026-005549"
        },
        {
            "versions": [
                "1.1.1"
            ],
            "sha256": "7d7f0ddfa720bc522473f92b17681d0c2092724865c30103b7c2cb558b9b5629",
            "modified_time": "2026-06-11T05:10:25Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-11T05:41:06.044063131Z",
            "id": "IN-MAL-2026-005550"
        }
    ]
}
References
Credits

Affected packages

npm / cms-store-ren

Package

Affected ranges

Affected versions

1.*
1.1.1

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "cms-store-ren-1.1.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-1opt+gaixQP4XLgTtBYpJgm3EUw4RrCYe8QprsSiFmanT4IrFckNgh57xS55XJgdyFSBbirg9WRG6JtJ5Hm2jQ==",
                "sha1": "1feda0c27848bc53241bdebe942abc45103f7c05"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "ec5bc6c76a845d717e0cbb7c7f29f38dedf1bdb22a83ea68620cf4f31824a87c",
            "path": "install.js",
            "tlsh": "9e7142d023f5c2e547736fb2b5d2a60ae22e80297213d380f4bd81c17fa1568c7a1dac"
        },
        {
            "sha256": "24ca0eabb8c574d5facfc36781b96edccffdd40f7952289ef956a47b51dce9f2",
            "path": "package.json",
            "tlsh": "fee026328b13497328f45b916c671105f2120f2f02344c0f39fb001c6bb322904ab31e"
        }
    ],
    "domains": [
        "api.telegram.org"
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cms-store-ren/MAL-2026-5364.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]