MAL-2026-5558
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sensivity/MAL-2026-5558.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5558
- Published
- 2026-06-11T03:05:50Z
- Modified
- 2026-06-11T05:46:31.508501989Z
- Summary
- Malicious code in sensivity (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (ef8c17866ac1aee489e207f2a4cdb2eefbd17336edd0398b34c40ee5c69a8ef5)
On require()/import (package main is launcher.js with no install hook), the package performs the following without consent: (1) Persistence — runs PowerShell to write an HKCU\Software\Microsoft\Windows\CurrentVersion\Run entry named 'OneDriveUpdate' that points at a bundled OneDrive.Standalone.Updater.vbs which silently launches
node launcher.json every login (WScript.Shell.Run with windowStyle=0). The name impersonates the Microsoft OneDrive updater. (2) Self-relaunching hidden daemon — kills any process listening on port 3000, then spawns a detached supervisor copy of itself (detached: true, stdio: 'ignore', windowsHide: true) which respawns a worker forever; the original process exits, leaving a hidden background daemon. (3) Process masquerade — both supervisor and worker setprocess.title = 'Runtime Broker'to impersonate the legitimate Windows RuntimeBroker.exe in Task Manager. (4) Browser surveillance — every 3 seconds, generates a PowerShell script that uses System.Windows.Automation to enumerate Edit controls in Chrome/Edge/Opera/Opera GX/Brave windows and reads their address-bar Value/Name (currently scanning for YouTube video idwJWta2lO0Lw, but the same code path reads any URL the user is visiting). (5) Obfuscated payload — launcher.js eval()s a 162KB obfuscator.io-style server.obf.js that uses RC4-decoded string arrays and dispatcher functions to hide its behavior from inspection. (6) HWID fingerprint exfiltration — the obfuscated payload computes SHA-256 over HKLM MachineGuid | hostname | volume serial and POSTs {key, hwid, nonce, app, version} to a hardcoded license endpoint embedded in the obfuscated strings. (7) Undisclosed native payload — bundles sens.node, a 6.6MB Windows PE containing strings 'Freecam', 'Teleport', 'spawnVehicle', 'Waypoint', '__licenseAccepted' — i.e., a GTA V / FiveM game cheat module — while package.json describes the package only as 'Sensivity Control Panel'. Any developer who installssensivityfrom npm gets persistent hidden autorun, a masqueraded background daemon, browser-URL surveillance, hardware-fingerprint exfiltration, and a game-cheat binary on their Windows machine. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-005428", "versions": [ "2.5.32" ], "sha256": "02215a5ed6f6a522ee5d84cf07a9fc34f473872527d1841d53a02700fc4f63eb", "source": "amazon-inspector", "modified_time": "2026-06-11T03:06:47Z", "import_time": "2026-06-11T03:48:50.033106235Z" }, { "id": "IN-MAL-2026-005433", "import_time": "2026-06-11T03:48:50.619758296Z", "sha256": "1178c633b373d071c39bc1ff60fa1456cfdc51e6d79862b0bf96202f9e97f7e3", "source": "amazon-inspector", "modified_time": "2026-06-11T03:07:38Z", "versions": [ "2.5.52" ] }, { "id": "IN-MAL-2026-005426", "import_time": "2026-06-11T03:48:49.769430679Z", "sha256": "1a604eb1b7c6c1a662402ef73b53f10e84ce251782e20919bbe77111647e32a8", "source": "amazon-inspector", "modified_time": "2026-06-11T03:06:31Z", "versions": [ "2.5.60" ] }, { "id": "IN-MAL-2026-005439", "import_time": "2026-06-11T03:48:51.371068303Z", "sha256": "a0946cc0dd42ab244736e739dd221f16b2397085339997f4e13feb34c2f9d88e", "source": "amazon-inspector", "modified_time": "2026-06-11T03:09:06Z", "versions": [ "2.5.27" ] }, { "id": "IN-MAL-2026-005429", "import_time": "2026-06-11T03:48:50.131207696Z", "sha256": "a8cb63439b4c57ac191c1a1660629bcee25318c22e7c10c643ff101409cd9acf", "source": "amazon-inspector", "modified_time": "2026-06-11T03:06:54Z", "versions": [ "2.5.51" ] }, { "id": "IN-MAL-2026-005424", "versions": [ "2.5.13" ], "sha256": "abf2d53e5f7926a4d41faea69ccfe1a51ebea96ea136e26423c617ce73d6da14", "source": "amazon-inspector", "modified_time": "2026-06-11T03:06:13Z", "import_time": "2026-06-11T03:48:49.559101368Z" }, { "id": "IN-MAL-2026-005427", "versions": [ "2.5.9" ], "sha256": "cb1ee370a1241d30e7bda3fea4d543fb3d3fc00ef89d32a4bfd4924e5acce0b6", "source": "amazon-inspector", "modified_time": "2026-06-11T03:06:37Z", "import_time": "2026-06-11T03:48:49.906385567Z" }, { "id": "IN-MAL-2026-005423", "versions": [ "2.5.0" ], "sha256": "f6aeb116ceaa3a97ba1312a9223e906d0c105db348fa90792913eea8e3e22141", "source": "amazon-inspector", "modified_time": "2026-06-11T03:06:09Z", "import_time": "2026-06-11T03:48:49.428099134Z" }, { "id": "IN-MAL-2026-005438", "import_time": "2026-06-11T03:48:51.232347885Z", "sha256": "0ee3d86cd76e4e0a3527de1ecb9e84918e4e6e167da5fd4f67c3aa0e4991fd17", "source": "amazon-inspector", "modified_time": "2026-06-11T03:09:02Z", "versions": [ "2.5.58" ] }, { "id": "IN-MAL-2026-005434", "versions": [ "2.5.61" ], "sha256": "30ca8bed7cfa07354b785fa62d79da21cc7fd5ad4a113f58664e4758bf36f30d", "source": "amazon-inspector", "modified_time": "2026-06-11T03:08:00Z", "import_time": "2026-06-11T03:48:50.74423426Z" }, { "id": "IN-MAL-2026-005442", "import_time": "2026-06-11T03:48:51.782794041Z", "sha256": "32972873bf24636a449b295822e92eb12b045e348f1fadf3634f74858eaa0c07", "source": "amazon-inspector", "modified_time": "2026-06-11T03:09:29Z", "versions": [ "2.5.5" ] }, { "id": "IN-MAL-2026-005425", "versions": [ "2.5.37" ], "sha256": "6907aea227a2d8728f3048fc72843eee7438f1204f7b4d65ece6ea56879a0fda", "source": "amazon-inspector", "modified_time": "2026-06-11T03:06:17Z", "import_time": "2026-06-11T03:48:49.663137957Z" }, { "id": "IN-MAL-2026-005421", "versions": [ "2.5.69" ], "sha256": "d6e891812c9ee055f54b52b7c40c0397387fd0c4537cde18becd70ed1a64047f", "source": "amazon-inspector", "modified_time": "2026-06-11T03:05:50Z", "import_time": "2026-06-11T03:48:49.209562408Z" }, { "id": "IN-MAL-2026-005436", "import_time": "2026-06-11T03:48:50.995273692Z", "sha256": "eaaef838d47cd3bd95307a17a61c10ee1689d477fbf7904c0d2431de754c22c3", "source": "amazon-inspector", "modified_time": "2026-06-11T03:08:11Z", "versions": [ "2.5.67" ] }, { "id": "IN-MAL-2026-005422", "import_time": "2026-06-11T03:48:49.310795472Z", "sha256": "68433178cf9a1fec4797366c4afc9d48ecc77c514ef93209253dd749befe811b", "source": "amazon-inspector", "modified_time": "2026-06-11T03:05:59Z", "versions": [ "2.5.7" ] }, { "id": "IN-MAL-2026-005431", "versions": [ "2.5.17" ], "sha256": "8dbc14086aabc88cbe8fda63df4594b3af6c16a7b92f48f79b1870a8c573702d", "source": "amazon-inspector", "modified_time": "2026-06-11T03:07:28Z", "import_time": "2026-06-11T03:48:50.336697375Z" }, { "id": "IN-MAL-2026-005432", "import_time": "2026-06-11T03:48:50.513516869Z", "sha256": "ef8c17866ac1aee489e207f2a4cdb2eefbd17336edd0398b34c40ee5c69a8ef5", "source": "amazon-inspector", "modified_time": "2026-06-11T03:07:33Z", "versions": [ "2.5.62" ] }, { "id": "IN-MAL-2026-005437", "import_time": "2026-06-11T03:48:51.09961555Z", "sha256": "55e0e161eaa74435ddd742764f2b50f49d4abfc127bb6c540c186ed9067ed6c5", "source": "amazon-inspector", "modified_time": "2026-06-11T03:08:16Z", "versions": [ "2.5.53" ] }, { "id": "IN-MAL-2026-005441", "import_time": "2026-06-11T03:48:51.642623562Z", "sha256": "71500352c7a0404ebbaa16411d030ca21354158c01253cbf01382cb5b19bb0b2", "source": "amazon-inspector", "modified_time": "2026-06-11T03:09:15Z", "versions": [ "2.5.20" ] }, { "id": "IN-MAL-2026-005430", "versions": [ "2.5.57" ], "sha256": "7a0adc123a5d9fe0f567228361cdf7fed446237e94919efb7a34b48043fb200b", "source": "amazon-inspector", "modified_time": "2026-06-11T03:07:21Z", "import_time": "2026-06-11T03:48:50.231538258Z" }, { "id": "IN-MAL-2026-005435", "versions": [ "2.5.12" ], "sha256": "e61ad4906e34fb2fd5ec55d784c2ba8bce7e97688a4e54b132403bd06bafcbb5", "source": "amazon-inspector", "modified_time": "2026-06-11T03:08:07Z", "import_time": "2026-06-11T03:48:50.865652125Z" }, { "id": "IN-MAL-2026-005440", "import_time": "2026-06-11T03:48:51.529553708Z", "sha256": "ffc7efd5a29f55389042b2aa05f24f3d6c25fb006e5fbcc7a17a2ad7fa8610f0", "source": "amazon-inspector", "modified_time": "2026-06-11T03:09:11Z", "versions": [ "2.5.19" ] }, { "id": "IN-MAL-2026-005511", "versions": [ "2.5.54" ], "sha256": "0953f1da59ba8c8c617e7c09960241653e1c766f7a9c99e4b338d9c315655302", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:55Z", "import_time": "2026-06-11T05:41:02.075976209Z" }, { "id": "IN-MAL-2026-005502", "import_time": "2026-06-11T05:41:01.146277081Z", "sha256": "1634e9d8ba917624a6849eb3fa8d72adbca90056d75b83f1fcc03d8a837539de", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:48Z", "versions": [ "2.5.50" ] }, { "id": "IN-MAL-2026-005504", "versions": [ "2.5.39" ], "sha256": "814f03f06698a9d199afcc836bb3db7ba2074bddabae77ae5f87fed4426703a3", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:50Z", "import_time": "2026-06-11T05:41:01.342744753Z" }, { "id": "IN-MAL-2026-005526", "import_time": "2026-06-11T05:41:03.540983566Z", "sha256": "9b9d0206882b4dd66b75851dc40c2c77cdfaf7200fd82daade0ec05b41231531", "source": "amazon-inspector", "modified_time": "2026-06-11T04:54:07Z", "versions": [ "2.5.46" ] }, { "id": "IN-MAL-2026-005490", "import_time": "2026-06-11T05:40:59.908528536Z", "sha256": "d51189961b285aaf34cf2628c3550a0281a2c60caea509ae7aa0b6e261c81340", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:38Z", "versions": [ "2.5.18" ] }, { "id": "IN-MAL-2026-005509", "import_time": "2026-06-11T05:41:01.896636075Z", "sha256": "7191cca927ae0425ad0533290f7f6eb9d0985d9a4d2383cec08be9caa4adc336", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:54Z", "versions": [ "2.5.21" ] }, { "id": "IN-MAL-2026-005514", "import_time": "2026-06-11T05:41:02.400294201Z", "sha256": "b71d466f163e313e4a86a6f52d59041086877ffab65c1dc29718ed77d8d1249a", "source": "amazon-inspector", "modified_time": "2026-06-11T04:54:00Z", "versions": [ "2.5.49" ] }, { "id": "IN-MAL-2026-005520", "versions": [ "2.5.25" ], "sha256": "bc3f3810cafb22f677350e9bd241d9199c87a95edfdbfa7776fdf1b9d95b12f7", "source": "amazon-inspector", "modified_time": "2026-06-11T04:54:03Z", "import_time": "2026-06-11T05:41:02.931069057Z" }, { "id": "IN-MAL-2026-005497", "versions": [ "2.5.10" ], "sha256": "c22db319dd81da164f1bacedd2c1f324d0e3507da194d8d5685e4c333e96d7df", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:44Z", "import_time": "2026-06-11T05:41:00.675968223Z" }, { "id": "IN-MAL-2026-005516", "versions": [ "2.5.6" ], "sha256": "d450a9ca29f56e3633690b306f87e5faf5f69a49ad3dcc7c7cc29871be12ebab", "source": "amazon-inspector", "modified_time": "2026-06-11T04:54:01Z", "import_time": "2026-06-11T05:41:02.581492217Z" }, { "id": "IN-MAL-2026-005489", "versions": [ "2.5.65" ], "sha256": "36cfb437f27c5ddb03d6cbb79910935e271ede63ee8800b4303eb9101da4827f", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:38Z", "import_time": "2026-06-11T05:40:59.829857081Z" }, { "id": "IN-MAL-2026-005501", "versions": [ "2.5.29" ], "sha256": "4e9b263003c8854c7cba2e2be2d6ec58f6daf48e354ffdf000d8ce010873df13", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:48Z", "import_time": "2026-06-11T05:41:01.064987356Z" }, { "id": "IN-MAL-2026-005513", "import_time": "2026-06-11T05:41:02.298232438Z", "sha256": "7260434c0c0b6348c67d28b3d08abd8e9f5fff518bde9418662f3aad3e23b544", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:58Z", "versions": [ "2.5.35" ] }, { "id": "IN-MAL-2026-005517", "import_time": "2026-06-11T05:41:02.666379004Z", "sha256": "c3bd01a5cfc5bcca989c0fb6a7927836563bff8292a2925e4dde5288e97c14a3", "source": "amazon-inspector", "modified_time": "2026-06-11T04:54:02Z", "versions": [ "2.5.24" ] }, { "id": "IN-MAL-2026-005528", "import_time": "2026-06-11T05:41:03.752676868Z", "sha256": "c60265192835c96f55d417bd6e9d94cc74eef4e85306c83c4fc1eb53cc2b75bb", "source": "amazon-inspector", "modified_time": "2026-06-11T04:54:08Z", "versions": [ "2.5.45" ] }, { "id": "IN-MAL-2026-005484", "import_time": "2026-06-11T05:40:59.420023021Z", "sha256": "d4676b07d198a1420a3d825146794508c99eb8ca4e39e7023345f30f2c25a8f0", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:35Z", "versions": [ "2.5.31" ] }, { "id": "IN-MAL-2026-005482", "import_time": "2026-06-11T05:40:59.238765505Z", "sha256": "f85e08de4bae3abf778d5ea243b2f637fbecc45d619632235d393560c1914fcd", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:33Z", "versions": [ "2.5.68" ] }, { "id": "IN-MAL-2026-005525", "import_time": "2026-06-11T05:41:03.451566196Z", "sha256": "60c89682643cb0dced3011ddaee7a3f3ab12cc20899aab623c45f987ea6795b5", "source": "amazon-inspector", "modified_time": "2026-06-11T04:54:07Z", "versions": [ "2.5.28" ] }, { "id": "IN-MAL-2026-005512", "import_time": "2026-06-11T05:41:02.186073521Z", "sha256": "618a67797e59ad13e9f16efa25072c08cd6d244666d2e2bebb7ace965cf3bb4e", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:58Z", "versions": [ "2.5.59" ] }, { "id": "IN-MAL-2026-005496", "versions": [ "2.5.63" ], "sha256": "68c0db10302a26b961862f1bb2a27639d8b9c0647541abc035b9b1e261dbdb95", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:44Z", "import_time": "2026-06-11T05:41:00.59085258Z" }, { "id": "IN-MAL-2026-005508", "import_time": "2026-06-11T05:41:01.761696098Z", "sha256": "acee1f4e1c0c4d1203c8416ee86421cf7e5ab30bc91e5f1a280861d9304df85d", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:53Z", "versions": [ "2.5.64" ] }, { "id": "IN-MAL-2026-005485", "versions": [ "2.5.48" ], "sha256": "c0e076ffa782ef1c0b646f2c06ca577174be52200a26399643b180ebb6ae94e7", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:36Z", "import_time": "2026-06-11T05:40:59.498594534Z" }, { "id": "IN-MAL-2026-005523", "versions": [ "2.5.66" ], "sha256": "c639e5d9e176113cd97f1ce1365e2c2e2282cbc7db517e24695fde649f99f3db", "source": "amazon-inspector", "modified_time": "2026-06-11T04:54:06Z", "import_time": "2026-06-11T05:41:03.253131867Z" }, { "id": "IN-MAL-2026-005493", "import_time": "2026-06-11T05:41:00.282788024Z", "sha256": "ca72c94d0cdb4cc1f17a0a20d683ae013fb593c4364d8c58c3d2e79287bf25b5", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:41Z", "versions": [ "2.5.41" ] }, { "id": "IN-MAL-2026-005499", "versions": [ "2.5.55" ], "sha256": "daf73c0482dfaff7e2845f6cd01c3309284b09ee5cbd2227eb4a9e7f998b15fa", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:46Z", "import_time": "2026-06-11T05:41:00.854507481Z" }, { "id": "IN-MAL-2026-005505", "import_time": "2026-06-11T05:41:01.426828984Z", "sha256": "62f923084a4db24a2c280b646c7f412ba83da683f0acf72082de391cf8a0186b", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:51Z", "versions": [ "2.5.11" ] }, { "id": "IN-MAL-2026-005510", "import_time": "2026-06-11T05:41:01.978549213Z", "sha256": "669fa24845afb6c28afd4e6a8dd0d76d4636c8836385e43f9fd2d65cc00715c0", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:55Z", "versions": [ "2.5.47" ] }, { "id": "IN-MAL-2026-005527", "versions": [ "2.5.3" ], "sha256": "a5330898943f21beeaa2680194dad5b31eabade3318c2fafbcf48062fb16beca", "source": "amazon-inspector", "modified_time": "2026-06-11T04:54:08Z", "import_time": "2026-06-11T05:41:03.660818099Z" }, { "id": "IN-MAL-2026-005492", "versions": [ "2.5.8" ], "sha256": "a945a05d832b3847424d8ed0392b0f0069bf3231c70976c8f6fb085f72755d7d", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:40Z", "import_time": "2026-06-11T05:41:00.151580671Z" }, { "id": "IN-MAL-2026-005494", "import_time": "2026-06-11T05:41:00.390713698Z", "sha256": "dc60ba7b459a55106b17b901aa3b5c3f0a7df97e01a8fc4d69f0bcd910407350", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:42Z", "versions": [ "2.5.36" ] }, { "id": "IN-MAL-2026-005522", "import_time": "2026-06-11T05:41:03.159933661Z", "sha256": "e65cf8172809600b46e18c5f50d1f7d9e1b7e57b9a69f9ee014e3ce3dbb2939a", "source": "amazon-inspector", "modified_time": "2026-06-11T04:54:05Z", "versions": [ "2.5.15" ] }, { "id": "IN-MAL-2026-005498", "import_time": "2026-06-11T05:41:00.752683068Z", "sha256": "f55aef8b5ff9956db2270536896e3a5667dda50d14451549930b3f35329c818f", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:45Z", "versions": [ "2.5.30" ] }, { "id": "IN-MAL-2026-005519", "versions": [ "2.5.16" ], "sha256": "260db5aafa401d0ffec2b3eb111fd86de4e23cefa0c822a549157ad913cce6ca", "source": "amazon-inspector", "modified_time": "2026-06-11T04:54:03Z", "import_time": "2026-06-11T05:41:02.82651455Z" }, { "id": "IN-MAL-2026-005483", "import_time": "2026-06-11T05:40:59.341903557Z", "sha256": "7716c6ecbde3967b55595cb65f09602aa88f4622dd7ce1d2631060eebbd00455", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:34Z", "versions": [ "2.5.44" ] }, { "id": "IN-MAL-2026-005515", "versions": [ "2.5.26" ], "sha256": "a4edd8f4400d56699b7377bfb64215980181f512c89eb016a8b99b06223b217f", "source": "amazon-inspector", "modified_time": "2026-06-11T04:54:00Z", "import_time": "2026-06-11T05:41:02.479939743Z" }, { "id": "IN-MAL-2026-005487", "import_time": "2026-06-11T05:40:59.661948978Z", "sha256": "da563446293e81640f1a1ec56050633e5a57bb6b65d3e7fa4af424522535e0ab", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:37Z", "versions": [ "2.5.34" ] }, { "id": "IN-MAL-2026-005495", "versions": [ "2.5.56" ], "sha256": "f1644e51cdc8f72e47193f67fcbbfee59306fed471811509f94f9334ef20fc40", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:43Z", "import_time": "2026-06-11T05:41:00.484530197Z" }, { "id": "IN-MAL-2026-005491", "import_time": "2026-06-11T05:41:00.054517302Z", "sha256": "fe49ef8d77c28ea288d8f929a9c1c75991e018ca1eebf762b8ff66bdfec9fe28", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:39Z", "versions": [ "2.5.14" ] }, { "id": "IN-MAL-2026-005529", "versions": [ "2.5.22" ], "sha256": "057c12c9ab4d56dce4a956cfba00a37740033c66ebc160e7782327f2fb3db2fc", "source": "amazon-inspector", "modified_time": "2026-06-11T04:54:09Z", "import_time": "2026-06-11T05:41:03.856887595Z" }, { "id": "IN-MAL-2026-005486", "versions": [ "2.5.43" ], "sha256": "8f5759fdaf51e10976fe1c68e6f296f83b120bb868409b21fb91e673393e8d78", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:36Z", "import_time": "2026-06-11T05:40:59.580844121Z" }, { "id": "IN-MAL-2026-005506", "versions": [ "2.5.33" ], "sha256": "a3772f98ae9a785056de6c337d1943c5981cffc52064f423f7421250dc873507", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:52Z", "import_time": "2026-06-11T05:41:01.586409884Z" }, { "id": "IN-MAL-2026-005507", "import_time": "2026-06-11T05:41:01.673080649Z", "sha256": "b551f4357e304f3ff7c68e590c94da50f89ae1880eeecfd5e8b77c70caf7259e", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:53Z", "versions": [ "2.5.2" ] }, { "id": "IN-MAL-2026-005521", "import_time": "2026-06-11T05:41:03.049156326Z", "sha256": "d011626d5de7ade6ec8a16e4773986cfa95c80fbdd74458fcffb6937c6ab783b", "source": "amazon-inspector", "modified_time": "2026-06-11T04:54:04Z", "versions": [ "2.5.42" ] }, { "id": "IN-MAL-2026-005500", "versions": [ "2.5.4" ], "sha256": "ef24b7e803366e983e02e4476181dd52f2dbbf2d2f41323a9e75a8edc77adcc1", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:46Z", "import_time": "2026-06-11T05:41:00.959662902Z" }, { "id": "IN-MAL-2026-005503", "versions": [ "2.5.1" ], "sha256": "011eff9ef7121419aaa8720bf959bbeaf18db1ae132c5bcb5ddb9e56c721b9e5", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:49Z", "import_time": "2026-06-11T05:41:01.233636178Z" }, { "id": "IN-MAL-2026-005524", "import_time": "2026-06-11T05:41:03.344988654Z", "sha256": "1c95d9ea437a62c4d4da7d32daac9f85c4962ac4382e011e05955e3e76b24590", "source": "amazon-inspector", "modified_time": "2026-06-11T04:54:06Z", "versions": [ "2.5.38" ] }, { "id": "IN-MAL-2026-005488", "import_time": "2026-06-11T05:40:59.739791595Z", "sha256": "218a31f69bb9eac85759bc4e586fc17b12b588e2a1f8fcf1f614a4498d573247", "source": "amazon-inspector", "modified_time": "2026-06-11T04:53:37Z", "versions": [ "2.5.23" ] }, { "id": "IN-MAL-2026-005518", "versions": [ "2.5.40" ], "sha256": "a21e3c4c77cfede1eef362587ce160de4c981da7e93c1708fb75d9a4f9b9ce7e", "source": "amazon-inspector", "modified_time": "2026-06-11T04:54:02Z", "import_time": "2026-06-11T05:41:02.745930284Z" } ] }- References
-
- https://www.npmjs.com/package/sensivity/v/2.5.32
- https://www.npmjs.com/package/sensivity/v/2.5.52
- https://www.npmjs.com/package/sensivity/v/2.5.60
- https://www.npmjs.com/package/sensivity/v/2.5.27
- https://www.npmjs.com/package/sensivity/v/2.5.51
- https://www.npmjs.com/package/sensivity/v/2.5.13
- https://www.npmjs.com/package/sensivity/v/2.5.9
- https://www.npmjs.com/package/sensivity/v/2.5.0
- https://www.npmjs.com/package/sensivity/v/2.5.58
- https://www.npmjs.com/package/sensivity/v/2.5.61
- https://www.npmjs.com/package/sensivity/v/2.5.5
- https://www.npmjs.com/package/sensivity/v/2.5.37
- https://www.npmjs.com/package/sensivity/v/2.5.69
- https://www.npmjs.com/package/sensivity/v/2.5.67
- https://www.npmjs.com/package/sensivity/v/2.5.7
- https://www.npmjs.com/package/sensivity/v/2.5.17
- https://www.npmjs.com/package/sensivity/v/2.5.62
- https://www.npmjs.com/package/sensivity/v/2.5.53
- https://www.npmjs.com/package/sensivity/v/2.5.20
- https://www.npmjs.com/package/sensivity/v/2.5.57
- https://www.npmjs.com/package/sensivity/v/2.5.12
- https://www.npmjs.com/package/sensivity/v/2.5.19
- https://www.npmjs.com/package/sensivity/v/2.5.54
- https://www.npmjs.com/package/sensivity/v/2.5.50
- https://www.npmjs.com/package/sensivity/v/2.5.39
- https://www.npmjs.com/package/sensivity/v/2.5.46
- https://www.npmjs.com/package/sensivity/v/2.5.18
- https://www.npmjs.com/package/sensivity/v/2.5.21
- https://www.npmjs.com/package/sensivity/v/2.5.49
- https://www.npmjs.com/package/sensivity/v/2.5.25
- https://www.npmjs.com/package/sensivity/v/2.5.10
- https://www.npmjs.com/package/sensivity/v/2.5.6
- https://www.npmjs.com/package/sensivity/v/2.5.65
- https://www.npmjs.com/package/sensivity/v/2.5.29
- https://www.npmjs.com/package/sensivity/v/2.5.35
- https://www.npmjs.com/package/sensivity/v/2.5.24
- https://www.npmjs.com/package/sensivity/v/2.5.45
- https://www.npmjs.com/package/sensivity/v/2.5.31
- https://www.npmjs.com/package/sensivity/v/2.5.68
- https://www.npmjs.com/package/sensivity/v/2.5.28
- https://www.npmjs.com/package/sensivity/v/2.5.59
- https://www.npmjs.com/package/sensivity/v/2.5.63
- https://www.npmjs.com/package/sensivity/v/2.5.64
- https://www.npmjs.com/package/sensivity/v/2.5.48
- https://www.npmjs.com/package/sensivity/v/2.5.66
- https://www.npmjs.com/package/sensivity/v/2.5.41
- https://www.npmjs.com/package/sensivity/v/2.5.55
- https://www.npmjs.com/package/sensivity/v/2.5.11
- https://www.npmjs.com/package/sensivity/v/2.5.47
- https://www.npmjs.com/package/sensivity/v/2.5.3
- https://www.npmjs.com/package/sensivity/v/2.5.8
- https://www.npmjs.com/package/sensivity/v/2.5.36
- https://www.npmjs.com/package/sensivity/v/2.5.15
- https://www.npmjs.com/package/sensivity/v/2.5.30
- https://www.npmjs.com/package/sensivity/v/2.5.16
- https://www.npmjs.com/package/sensivity/v/2.5.44
- https://www.npmjs.com/package/sensivity/v/2.5.26
- https://www.npmjs.com/package/sensivity/v/2.5.34
- https://www.npmjs.com/package/sensivity/v/2.5.56
- https://www.npmjs.com/package/sensivity/v/2.5.14
- https://www.npmjs.com/package/sensivity/v/2.5.22
- https://www.npmjs.com/package/sensivity/v/2.5.43
- https://www.npmjs.com/package/sensivity/v/2.5.33
- https://www.npmjs.com/package/sensivity/v/2.5.2
- https://www.npmjs.com/package/sensivity/v/2.5.42
- https://www.npmjs.com/package/sensivity/v/2.5.4
- https://www.npmjs.com/package/sensivity/v/2.5.1
- https://www.npmjs.com/package/sensivity/v/2.5.38
- https://www.npmjs.com/package/sensivity/v/2.5.23
- https://www.npmjs.com/package/sensivity/v/2.5.40
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / sensivity
Package
- Name
- sensivity
- View open source insights on deps.dev
- Purl
- pkg:npm/sensivity
Affected versions
2.*
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.5.6
2.5.7
2.5.8
2.5.9
2.5.10
2.5.11
2.5.12
2.5.13
2.5.14
2.5.15
2.5.16
2.5.17
2.5.18
2.5.19
2.5.20
2.5.21
2.5.22
2.5.23
2.5.24
2.5.25
2.5.26
2.5.27
2.5.28
2.5.29
2.5.30
2.5.31
2.5.32
2.5.33
2.5.34
2.5.35
2.5.36
2.5.37
2.5.38
2.5.39
2.5.40
2.5.41
2.5.42
2.5.43
2.5.44
2.5.45
2.5.46
2.5.47
2.5.48
2.5.49
2.5.50
2.5.51
2.5.52
2.5.53
2.5.54
2.5.55
2.5.56
2.5.57
2.5.58
2.5.59
2.5.60
2.5.61
2.5.62
2.5.63
2.5.64
2.5.65
2.5.66
2.5.67
2.5.68
2.5.69
Database specific
cwes
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "launcher.js",
"sha256": "d08f447df1bd242a87c3b31f5186a64b92c4d39325adb77b06eaebc06e97fd2d",
"tlsh": "a262d6ae64f7203581b3a02e159f6026a43bc503240dfae4b55c860a6f9533c93f7afd"
},
{
"path": "sens.node",
"sha256": "aa298f903700ac207596b12cc41921b6879a4ef23c31384ec5d3ddc1076bf7a9",
"tlsh": "2c667ab19a9c8b0df07ab079c1835617a7f1bc0d2321df8b9ad09db74d1f594f16a20a"
},
{
"path": "server.obf.js",
"sha256": "c8dbb30c2eded6d2a96db2a7709706ba967ff1f7b940d1d84e9b5d60fd4347c5",
"tlsh": "b883d72163c43c8d21474ff3772bb2e5ea281a99b09445dfe514bc54ebbb914dbe8a30"
}
],
"package_integrity": [
{
"filename": "sensivity-2.5.32.tgz",
"hashes": {
"sha512_sri": "sha512-+NLkks0bg4/tXcW6AyNZr3yvTIaxjyO8s6JCz9q+EXWa7dtwaGe0B5QjyxfjDQhjrSa5pjsTz0yRPevbrmuHhw==",
"sha1": "3dec518ae256caca88e1ab607f70a428dbfe76af"
}
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sensivity/MAL-2026-5558.json"