MAL-2026-5569

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/js-crypto-promise/MAL-2026-5569.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5569
Aliases
  • GHSA-hj2h-j6cr-5mq8
Published
2026-06-11T04:49:31Z
Modified
2026-07-06T20:01:45.188199428Z
Summary
Malicious code in js-crypto-promise (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a9d677e45bee46911d04564e9260f4b569119a4ca0a13a58bcd43760359fbb4f)

The package's prepinstall.js script base64-decodes a hidden URL (stored in a constant misleadingly named HASH_KEY decoding to https://jsonkeeper.com/b/DWNFF, an anonymous paste service), fetches the JSON body via axios, reads the .cache field, and pipes the contents into a detached node child process via stdin: const child = spawn('node', [], { detached: true, stdio: ['pipe', 'ignore', 'ignore'] }); child.stdin.write(k1);. This dropper fires automatically on npm install via scripts.postinstall. To defeat the --ignore-scripts mitigation, index.js also wraps a dynamic import('./prepinstall.js') inside a top-level IIFE, so any consumer that require('js-crypto-promise') re-triggers the same remote fetch and execution. The payload host is mutable, anonymous, unpinned, and unverified — the package author can swap in arbitrary code at any time. The package name impersonates the legitimate crypto-promise package: the README copies the real package's example code and embeds the real package's npm badge link, and the homepage points at the legitimate maintainer's GitHub repo. Installer impact: any npm install or require() of this package executes attacker-controlled Node.js code on the installer's machine.

Source: ghsa-malware (e9fe53199afdef1859ff9dc2c719ee2631c26ac984d1f8ed3387b10ea35b306e)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-11T04:49:31Z",
            "sha256": "0f5a7a6c89bed501873fcf3ed3eee38f5198ef5224d71038324f3543380feb5e",
            "versions": [
                "1.0.1"
            ],
            "import_time": "2026-06-11T05:40:59.001689617Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-005480"
        },
        {
            "source": "amazon-inspector",
            "sha256": "a9d677e45bee46911d04564e9260f4b569119a4ca0a13a58bcd43760359fbb4f",
            "import_time": "2026-06-11T05:40:58.904783131Z",
            "modified_time": "2026-06-11T04:49:31Z",
            "id": "IN-MAL-2026-005479",
            "versions": [
                "1.0.1"
            ]
        },
        {
            "source": "ghsa-malware",
            "sha256": "e9fe53199afdef1859ff9dc2c719ee2631c26ac984d1f8ed3387b10ea35b306e",
            "import_time": "2026-07-06T19:53:47.961829054Z",
            "modified_time": "2026-07-06T18:53:33Z",
            "id": "GHSA-hj2h-j6cr-5mq8",
            "versions": [
                "1.0.1"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / js-crypto-promise

Package

Affected ranges

Affected versions

1.*
1.0.1

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "js-crypto-promise-1.0.1.tgz",
            "hashes": {
                "sha1": "16cb9ac29c00ff5c1a9412f8039643867e91b65d",
                "sha512_sri": "sha512-7zhn4EGpns+43OCWvRZZKU6cb4FxdF+nMHPYduQ1qyu+WWd5cJ3u3PvQSyuyVEV7D4JT15QgZSTaKtqhAOPWEA=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "8ee0225f3677ab7d2f700ed4983286764d12a020f6c2e5e0a50a80176a8b78a114bfe8",
            "sha256": "e7c772a541f61ef9cd7b77f1d6f2d216faa593b0348cf76f483df6ea873c2335",
            "path": "prepinstall.js"
        },
        {
            "tlsh": "f9016896cc68d8672bc421f26c7e110bf62048474919fc0a73c7860c0b8e8ab01bc26d",
            "sha256": "13aae5311a4162d7847e0be6ff1545db0a994dd8fe2d3e911617a9055fc2589f",
            "path": "package.json"
        },
        {
            "tlsh": "6b01d8497efcf0d703d1a0d7453bfb81ed92b0a3b2008b65938bea5cc5e1168c93a594",
            "sha256": "72c465459ec2b1ccce5cee1a8357a218107a7da7198a3c396acdc3ac5abc51e5",
            "path": "index.js"
        }
    ],
    "domains": [
        "jsonkeeper.com"
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/js-crypto-promise/MAL-2026-5569.json"