MAL-2026-5564

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@tonsdk/core/MAL-2026-5564.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5564

Published

2026-06-11T05:00:02Z

Modified

2026-06-11T05:46:33.998928451Z

Summary

Malicious code in @tonsdk/core (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d9a9a70e3d8b322df960cb96b195f74693eb4d2ea284680e4cfb41a33f1848f8)

@tonsdk/core impersonates the legitimate @ton/core TON blockchain SDK. On npm install, scripts/postinstall.js executes automatically and performs two attacker-controlled actions against a hardcoded bare-IP C2 at 213.218.160.189 (ports 8080 and 80) over plaintext HTTP. First, it base64-encodes a JSON fingerprint of the installer host — hostname, username, platform, arch — and sends it as a GET query string to /s?q=<base64>, leaking host identifiers on every install. Second, it fetches a response payload, optionally XOR-decrypts it, and passes the result to eval(), giving the operator arbitrary remote code execution in the installer's Node process. The script also probes for VM/sandbox/analyst tooling (vmtoolsd, vboxservice, wireshark, x64dbg, ida) to suppress execution in researcher environments. The package description and name target developers searching for TON SDK tooling; the repository URL (aspect-build/tonsdk) is unrelated to the real TON foundation.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005530",
            "versions": [
                "0.9.3"
            ],
            "sha256": "d9a9a70e3d8b322df960cb96b195f74693eb4d2ea284680e4cfb41a33f1848f8",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T05:00:02Z",
            "import_time": "2026-06-11T05:41:03.945757348Z"
        }
    ]
}

References

https://www.npmjs.com/package/@tonsdk/core/v/0.9.3

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @tonsdk/core

Package

Name: @tonsdk/core; View open source insights on deps.dev
Purl: pkg:npm/%40tonsdk%2Fcore

Affected ranges

Affected versions

0.*

0.9.3

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "scripts/postinstall.js",
            "sha256": "b2144acd6e3e1b58bff7ac4f201248831e65e435283267d35018a92fd02ed59d",
            "tlsh": "045145d4b6fa5130526395bc596fd841b27fe503b106d6e8bacc13406f45a68c3f34e9"
        },
        {
            "path": "package.json",
            "sha256": "a92005f40f8241f8ab83a14f9640997f9520aec6c34b8808ec6ef049dd0ef126",
            "tlsh": "d2014935ca105e731ec86a89dc6d0642a562081f8c147c2d33e3413c8f4e2af51fe72e"
        }
    ],
    "package_integrity": [
        {
            "filename": "core-0.9.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-BH0WdyHhZwg69C8Cj9HLVlgWFx6bRmxwE8+rGJpuxvv5xg8aUgM1tnv2C7+o2qv22A4GxydEuc69o/lNyzwLqw==",
                "sha1": "d78e281f1e3dcc36a948641bcbb5e5e2e8abfa69"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@tonsdk/core/MAL-2026-5564.json"