MAL-2026-5569
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/js-crypto-promise/MAL-2026-5569.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5569
- Published
- 2026-06-11T04:49:31Z
- Modified
- 2026-06-11T05:46:31.396156435Z
- Summary
- Malicious code in js-crypto-promise (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (a9d677e45bee46911d04564e9260f4b569119a4ca0a13a58bcd43760359fbb4f)
The package's
prepinstall.jsscript base64-decodes a hidden URL (stored in a constant misleadingly namedHASH_KEYdecoding to https://jsonkeeper.com/b/DWNFF, an anonymous paste service), fetches the JSON body via axios, reads the.cachefield, and pipes the contents into a detachednodechild process via stdin:const child = spawn('node', [], { detached: true, stdio: ['pipe', 'ignore', 'ignore'] }); child.stdin.write(k1);. This dropper fires automatically onnpm installviascripts.postinstall. To defeat the--ignore-scriptsmitigation,index.jsalso wraps a dynamicimport('./prepinstall.js')inside a top-level IIFE, so any consumer thatrequire('js-crypto-promise')re-triggers the same remote fetch and execution. The payload host is mutable, anonymous, unpinned, and unverified — the package author can swap in arbitrary code at any time. The package name impersonates the legitimatecrypto-promisepackage: the README copies the real package's example code and embeds the real package's npm badge link, and the homepage points at the legitimate maintainer's GitHub repo. Installer impact: anynpm installorrequire()of this package executes attacker-controlled Node.js code on the installer's machine. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-005480", "versions": [ "1.0.1" ], "sha256": "0f5a7a6c89bed501873fcf3ed3eee38f5198ef5224d71038324f3543380feb5e", "source": "amazon-inspector", "modified_time": "2026-06-11T04:49:31Z", "import_time": "2026-06-11T05:40:59.001689617Z" }, { "id": "IN-MAL-2026-005479", "versions": [ "1.0.1" ], "sha256": "a9d677e45bee46911d04564e9260f4b569119a4ca0a13a58bcd43760359fbb4f", "source": "amazon-inspector", "modified_time": "2026-06-11T04:49:31Z", "import_time": "2026-06-11T05:40:58.904783131Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / js-crypto-promise
Package
- Name
- js-crypto-promise
- View open source insights on deps.dev
- Purl
- pkg:npm/js-crypto-promise
Database specific
indicators
{
"evidence_files": [
{
"path": "prepinstall.js",
"sha256": "e7c772a541f61ef9cd7b77f1d6f2d216faa593b0348cf76f483df6ea873c2335",
"tlsh": "8ee0225f3677ab7d2f700ed4983286764d12a020f6c2e5e0a50a80176a8b78a114bfe8"
},
{
"path": "package.json",
"sha256": "13aae5311a4162d7847e0be6ff1545db0a994dd8fe2d3e911617a9055fc2589f",
"tlsh": "f9016896cc68d8672bc421f26c7e110bf62048474919fc0a73c7860c0b8e8ab01bc26d"
},
{
"path": "index.js",
"sha256": "72c465459ec2b1ccce5cee1a8357a218107a7da7198a3c396acdc3ac5abc51e5",
"tlsh": "6b01d8497efcf0d703d1a0d7453bfb81ed92b0a3b2008b65938bea5cc5e1168c93a594"
}
],
"package_integrity": [
{
"filename": "js-crypto-promise-1.0.1.tgz",
"hashes": {
"sha512_sri": "sha512-7zhn4EGpns+43OCWvRZZKU6cb4FxdF+nMHPYduQ1qyu+WWd5cJ3u3PvQSyuyVEV7D4JT15QgZSTaKtqhAOPWEA==",
"sha1": "16cb9ac29c00ff5c1a9412f8039643867e91b65d"
}
}
],
"domains": [
"jsonkeeper.com"
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/js-crypto-promise/MAL-2026-5569.json"