MAL-2026-5534

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@thomlecter1122/lab-helper-test/MAL-2026-5534.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5534
Published
2026-06-10T23:35:46Z
Modified
2026-06-11T00:16:30.701725450Z
Summary
Malicious code in @thomlecter1122/lab-helper-test (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9448c8cb290ff20cf707537035a6c383a4506b452c3ddc0e4c56bc398e02dbc7)

routerinit.js line 4 contains the canonical obfuscated-payload-execution pattern: eval(Buffer.from(<base64-blob>, 'base64').toString(...)). This decodes a hidden bytes blob and executes it as JavaScript at the moment the file is loaded, allowing arbitrary author-supplied code to run on the installer's machine without any visible source. There is no legitimate reason for a package described as a 'lab helper' to ship a base64-encoded eval'd payload in a file named routerinit.js, and the obfuscation is specifically designed to defeat source review. Any code path that requires this module — including normal application startup or transitive imports — will execute the hidden payload.

Database specific 
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005322",
            "import_time": "2026-06-11T00:00:58.506202458Z",
            "sha256": "650b9b18b0bc5101d5d948edf6bb841af88e20509a061dbbfe3fa21a8658b819",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T23:35:46Z",
            "versions": [
                "0.0.16"
            ]
        },
        {
            "id": "IN-MAL-2026-005324",
            "versions": [
                "0.0.11"
            ],
            "sha256": "9448c8cb290ff20cf707537035a6c383a4506b452c3ddc0e4c56bc398e02dbc7",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T23:36:46Z",
            "import_time": "2026-06-11T00:00:58.699196382Z"
        },
        {
            "id": "IN-MAL-2026-005325",
            "versions": [
                "0.0.15"
            ],
            "sha256": "c15cab8e8dc86301754623991e2ae38130feb1a7b5d26e7a204ac2fbd918a166",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T23:36:56Z",
            "import_time": "2026-06-11T00:00:58.797247524Z"
        },
        {
            "id": "IN-MAL-2026-005323",
            "versions": [
                "0.0.2"
            ],
            "sha256": "cef9ef58b6705aee11294b49f3e944e60b4047973a98378abc2f37e3dacd627b",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T23:36:37Z",
            "import_time": "2026-06-11T00:00:58.593243686Z"
        },
        {
            "id": "IN-MAL-2026-005326",
            "import_time": "2026-06-11T00:00:58.956948473Z",
            "sha256": "e12350df6e9a9d5a75f3796a6ebe9c08156ada9cbfd29acd480bf78fa51e61b9",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T23:37:03Z",
            "versions": [
                "0.0.5"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / @thomlecter1122/lab-helper-test

Package

Name
@thomlecter1122/lab-helper-test
View open source insights on deps.dev
Purl
pkg:npm/%40thomlecter1122%2Flab-helper-test

Affected ranges

Affected versions

0.*
0.0.2
0.0.5
0.0.11
0.0.15
0.0.16

Database specific

cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators 
{
    "evidence_files": [
        {
            "path": "router_init.js",
            "sha256": "3ed6e162a46f00edce3bcaf365b5a9ac82d4c9e9c5a4c8efaa9622e68b1cafe7",
            "tlsh": "7201ef6ccf217988190054cb38eba92a846b03d4f4a468e54aed1ecb8675b5764fb8c8"
        }
    ],
    "package_integrity": [
        {
            "filename": "lab-helper-test-0.0.16.tgz",
            "hashes": {
                "sha512_sri": "sha512-Avp3BR3qRNDjs+0GAO/nizPNvTvuY1JzD9gxGJ7JBprvx6vPaD+0bUSajv6JDQNCLchRgnkZmvk7DjU+mxd2Yg==",
                "sha1": "9e35d4d7f0a16fe5ce57e81d1bd9a02918b9af5b"
            }
        }
    ]
}
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@thomlecter1122/lab-helper-test/MAL-2026-5534.json"