MAL-2026-5629

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sass-formats/MAL-2026-5629.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5629
Aliases
  • GHSA-pvrm-39m5-j3c4
Published
2026-06-11T09:35:12Z
Modified
2026-07-08T20:47:10.372788118Z
Summary
Malicious code in sass-formats (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (5ccda832d10cb642350129278ae1fc341d3be8b8302ddbf9bdcfc15eeeb6eae8)

The package name sass-formats is one character-edit away from the popular sass-formatter package and reuses its original author field ("author": "Syler" in package.json), while dist/cli.js carries a header indicating it was modified by a different maintainer (// Modified by https://github.com/maarutan... Marat Arzymatov 2025). The tarball ships dist/lib/lib.min.js, a heavily obfuscated 4 KB file that smuggles handles to require and module onto the global object (global['r']=require; global['m']=module), tags itself with a payload-version marker (global['_V']='A6-519-79'), and derives the string constructor from a shuffled character array to invoke Function(args, body) on a second shuffled string — the canonical string-array-shuffle / dynamic-Function execution shape used by npm credential and dropper malware. Although no entrypoint in v1.0.4 currently loads dist/lib/lib.min.js, shipping a hidden Function-constructor payload with smuggled require/module references in a package that purports to be a Sass formatter has no legitimate engineering purpose, and the combination of name-edit typosquat against sass-formatter plus impersonated author identity plus a staged dynamic-execution payload matches the supply-chain attack pattern.

Source: ghsa-malware (593849a1308008d25bbda542cd5504e43cae6241d7ebe1c44b08377e2afe13d5)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific
{
    "malicious-packages-origins": [
        {
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "id": "GHSA-pvrm-39m5-j3c4",
            "source": "ghsa-malware",
            "import_time": "2026-06-11T09:45:30.622479982Z",
            "sha256": "593849a1308008d25bbda542cd5504e43cae6241d7ebe1c44b08377e2afe13d5",
            "modified_time": "2026-06-11T09:35:17Z"
        },
        {
            "modified_time": "2026-06-12T19:09:51Z",
            "id": "IN-MAL-2026-006140",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T19:44:12.563697144Z",
            "sha256": "18a570df7e3b77dc19d65d25fc246dbd231f0424c191729104ba3f9eed151663",
            "versions": [
                "1.0.5"
            ]
        },
        {
            "sha256": "5ccda832d10cb642350129278ae1fc341d3be8b8302ddbf9bdcfc15eeeb6eae8",
            "id": "IN-MAL-2026-006139",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T19:44:12.443694336Z",
            "modified_time": "2026-06-12T19:09:49Z",
            "versions": [
                "1.0.4"
            ]
        },
        {
            "modified_time": "2026-06-12T19:09:52Z",
            "id": "IN-MAL-2026-006141",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T19:44:12.655381222Z",
            "sha256": "64bd6333e924def2273b459fb46fb7bee7c6458545ce724fcab008914ab4b39e",
            "versions": [
                "1.0.5"
            ]
        },
        {
            "sha256": "baaeef1a01255a223f4cf9abd67ec4d1f440ea09af1c3cbe25236f8f1ad401bc",
            "id": "IN-MAL-2026-008404",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T20:32:24.163235124Z",
            "modified_time": "2026-07-08T20:05:19Z",
            "versions": [
                "1.0.2"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / sass-formats

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.0.2
1.0.4
1.0.5

Database specific

indicators
{
    "domains": [
        "bootstrap.pypa.io",
        "api.trongrid.io",
        "bsc-dataseed.binance.org",
        "fullnode.mainnet.aptoslabs.com"
    ],
    "evidence_files": [
        {
            "path": "dist/lib/lib.min.js",
            "tlsh": "75817fc83148fdc578c0427081cb919f1c6507e2987fb1c4888fc6ea55422465eb8eff",
            "sha256": "b373c2d8b6479a9acdb2fadbd35d312e8bd70975c8a3a3247b2aa9df6c3ef0e4"
        },
        {
            "path": "package.json",
            "tlsh": "6f319b33ca28dd3356f5a2ae7c788603fa04975f5160880b71fd36ad0f3a17b4195769",
            "sha256": "692cd17b1bbede1eb2c5b33288f656beecc901479af98def584ec236919e3849"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sass-formats/MAL-2026-5629.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]