MAL-2026-5561

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@bestlzk/sectest/MAL-2026-5561.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5561

Published

2026-06-11T05:00:38Z

Modified

2026-06-11T05:46:32.979030391Z

Summary

Malicious code in @bestlzk/sectest (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0cfce552ac72417ec7db2c48e0e13b1d060007167e82bd0f9b10799efe85e7f4)

On npm install, postinstall.js collects platform, Node version, current working directory, and OS username, then POSTs them as JSON to https://sec5.bestlzk.cn/v2/report. The HTTPS response body is parsed as JSON and the config.setup field is passed directly to child_process.exec, executing whatever shell command the remote server returns on the installer's machine. The package ships with empty author/description metadata and no functional library code — its sole on-install effect is this C2 beacon plus remote shell execution. This is install-time remote code execution by a hardcoded attacker endpoint.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005531",
            "versions": [
                "1.0.0"
            ],
            "sha256": "0cfce552ac72417ec7db2c48e0e13b1d060007167e82bd0f9b10799efe85e7f4",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T05:00:38Z",
            "import_time": "2026-06-11T05:41:04.031429859Z"
        },
        {
            "id": "IN-MAL-2026-005532",
            "versions": [
                "1.0.0"
            ],
            "sha256": "4fc73f82656db9921e5ed04df7c1e5d4959edf641148968f0d6efdd1de400d68",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T05:00:39Z",
            "import_time": "2026-06-11T05:41:04.187069518Z"
        }
    ]
}

References

https://www.npmjs.com/package/@bestlzk/sectest/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @bestlzk/sectest

Package

Name: @bestlzk/sectest; View open source insights on deps.dev
Purl: pkg:npm/%40bestlzk%2Fsectest

Affected ranges

Affected versions

1.*

1.0.0

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "postinstall.js",
            "sha256": "ed960b44fbdcdc01ebb98fca7527d49356be3e065afe7f6ea037b17b12e44b21",
            "tlsh": "ce111ce514fa953202f39deaaa97d0222963d1137507ee64fedc93a16f8406c44e29fc"
        },
        {
            "path": "package.json",
            "sha256": "b5b2c836245def2e5a541feadd691cc44a0427d1ca42a4be46b9847f4dfb3a10",
            "tlsh": "47c012144840537334c447b50e13814bfe314d0b50457c1856e34994529a77254f971e"
        }
    ],
    "package_integrity": [
        {
            "filename": "sectest-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-fw0mzLNqU/K4Fb61vHQXeVOYFByeoEWy7HuQAjuX0lqRj9QEHW1WacOxE9wZZ4/NVw1rJOVKGA2b4XbhgCngvw==",
                "sha1": "a07cf5a6f36702e8460fb991a2fbc445df4bc079"
            }
        }
    ],
    "domains": [
        "sec5.bestlzk.cn"
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@bestlzk/sectest/MAL-2026-5561.json"