MAL-2026-5528

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/events-runtime/MAL-2026-5528.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5528

Published

2026-06-10T18:09:36Z

Modified

2026-06-11T04:01:32.102132116Z

Summary

Malicious code in events-runtime (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (aac4806dc5c887c91db1f2570abcae5b98d62dfae36bea2ddb9e2449efd62eca)

Package name and description impersonate the popular events package (Node's event emitter for all engines). The vendored events.js adds an undocumented branch in EventEmitter.prototype.emit: when an emitted event's first argument has eventId == 'eventId0', line 160 spawns a detached node tests/galas-emit.min.js with stdio: 'ignore' and windowsHide: true. tests/galas-emit.min.js is heavily obfuscated (obfuscator.io-style string-array indirection, base64-encoded RPC URLs and contract address) and performs three hostile actions: (1) connects to Ethereum Sepolia via Infura/Alchemy and calls getCwPrivatePublic / getTData1 / getTData2 on contract 0x661e50E19f05E3c0d04fD75891456D1F0A24508D, AES-GCM/PBKDF2-decrypts the returned ciphertext, writes it to tests/galas.min.js, chmodSync 755 and executes it with process.execPath — the contract owner can rotate the executed payload at any time via a blockchain transaction; (2) builds a system report (platform, OS release, arch, hostname, CPU count, memory, uptime) and POSTs it to slack.com/api/chat.postMessage with hardcoded bot token xoxb-11307403103236-... and to api.telegram.org/bot8961878831:.../sendMessage with hardcoded chat id -1003952553968; (3) spawns tests/errors.min.js, which polls conversations.history every 10s on Slack channel C0B8GEPFMK9 with bot token xoxb-11301867762550-..., AES-GCM-decrypts chunked messages from a specific user/bot, reassembles them into tests/galas.min.js, chmods 755 and executes it — a persistent post-install RCE channel. A magic exitexitexit message triggers anti-forensics: fs.unlinkSync of events.js, galas-emit.min.js, errors.min.js, galas.min.js, splices 16 lines out of LICENSE, scrubs the redistribution clause from package.json, and issues taskkill /PID /T /F (Windows) or SIGTERM (Unix). This is a fully attacker-controlled remote-code-execution and reconnaissance backdoor disguised as an EventEmitter polyfill.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005260",
            "versions": [
                "3.3.0"
            ],
            "sha256": "9dec390f61d4b2205b07cb0dae6c7be308ebf5c95a9167341b1ee6bfca485608",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T18:19:30Z",
            "import_time": "2026-06-10T19:23:46.250801076Z"
        },
        {
            "id": "IN-MAL-2026-005352",
            "versions": [
                "3.2.4"
            ],
            "sha256": "81f4151f241e7877d2286f5967a243b35c6d2453078ed5acc19bfc72b16167b2",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T01:39:52Z",
            "import_time": "2026-06-11T02:24:27.17173588Z"
        },
        {
            "id": "IN-MAL-2026-005375",
            "versions": [
                "3.2.3"
            ],
            "sha256": "ce0cccf0a6a07263bbcbc1a126783d86d429ada554e38332c7217b603d3d7856",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T02:02:46Z",
            "import_time": "2026-06-11T02:24:28.656750392Z"
        },
        {
            "id": "IN-MAL-2026-005385",
            "versions": [
                "3.2.0"
            ],
            "sha256": "a32b51b6fc162552e8b95663c3dedd9ba44e4a3a4977772b5772e5ad4aacee8b",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T02:48:11Z",
            "import_time": "2026-06-11T03:48:44.696064234Z"
        },
        {
            "id": "IN-MAL-2026-005386",
            "import_time": "2026-06-11T03:48:44.796508628Z",
            "sha256": "aac4806dc5c887c91db1f2570abcae5b98d62dfae36bea2ddb9e2449efd62eca",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T02:48:26Z",
            "versions": [
                "3.2.1"
            ]
        },
        {
            "id": "IN-MAL-2026-005387",
            "import_time": "2026-06-11T03:48:44.914141747Z",
            "sha256": "d49bc1a05481ff0ad03ecdb0e740aad30c3c9e09d4858527febf9def08234445",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T02:48:30Z",
            "versions": [
                "3.1.3"
            ]
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / events-runtime

Package

Name: events-runtime; View open source insights on deps.dev
Purl: pkg:npm/events-runtime

Affected ranges

Affected versions

3.*

3.1.3

3.2.0

3.2.1

3.2.3

3.2.4

3.3.0

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/events-runtime/MAL-2026-5528.json"

indicators

{
    "evidence_files": [
        {
            "path": "events.js",
            "sha256": "aa6738d3babe82b610026fbbcfff154b38fe3427a1d6f2b796b8bb12c3625cc8",
            "tlsh": "3e620ecc574a253652f2e3bf7f0a420af23482b751149150b95ccae51f3ac6882f6ee9"
        },
        {
            "path": "tests/galas-emit.min.js",
            "sha256": "73ae7fe45999c2d78711032b31cba10e666e25d5fa564c314c5fd83e9bfea05f",
            "tlsh": "064208ccf6d8763603aa759e82583c4745989da5622ec140ff41d8cb35ae3c0d562f78"
        },
        {
            "path": "tests/errors.min.js",
            "sha256": "227d9aabbbbedab2e77c975789a128eb872b7c9320d7593970fe7ea842832ce8",
            "tlsh": "a3a108c95a6d22bf0fd2204aec5e201308bcdc415f65e5d1ec0dea8f3e987906583ba1"
        },
        {
            "path": "Readme.md",
            "sha256": "997882a515e2ca2a4d2b1cb8fcc4c62ab4d2bab054e755dddb41e95f05471061",
            "tlsh": "bf510f8f2e812756ae5d13dfbb7660daff25c0fc709252547c1e0dac52661b0826e0ee"
        }
    ],
    "package_integrity": [
        {
            "filename": "events-runtime-3.3.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-Vxvz0siscvToS27tNDOGMai6goYypCnqcQUywD4+cR0Kl2oIQkwvwyMgUiMs0JSpREXwWz+6FNr8DTGqgbihWg==",
                "sha1": "d4101c4e2abd6f0bba7cb769afaca6b7fa6d5d3f"
            }
        }
    ],
    "network_c2_iocs": {
        "files": [
            "tests/galas.min.js",
            "tests/galas-emit.min.js",
            "tests/errors.min.js"
        ],
        "slack": {
            "channels": [
                "C0B8XPGCKQS",
                "C0B8GEPFMK9"
            ],
            "token": "xoxb-11307403103236-11289767127959-yV5qQADdFGCI8oxsZTr8FJHk"
        },
        "trigger": "emit() args[0].eventId === 'eventId0'",
        "ethereum_c2": {
            "selector": "0x51e3adc0",
            "contract": "0xc0445F1b679DC46280A0f03F451bdf613b5A0feA",
            "rpc": "https://eth-sepolia.g.alchemy.com/v2/0E6xblLeXLnZSnn280R-O",
            "network": "sepolia"
        },
        "telegram": {
            "chat_id": "-1003952553968",
            "bot_token": "8961878831:AAG4WTbRUcbXI5UCaN4VXK8k57ghqqkg_qI"
        }
    }
}