MAL-2026-5643

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/parket-slot/MAL-2026-5643.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5643
Published
2026-06-11T12:42:07Z
Modified
2026-06-11T13:46:35.081266156Z
Summary
Malicious code in parket-slot (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6dc700128da5b494d5325086ec183ce7c746d44d88dc7f609bfb9f2eab9fa072)

On npm install, the package's postinstall script (node test.js) auto-executes a multi-stage attack against the installer's machine. It recursively scans os.homedir() on Unix (and all non-C: drives plus cwd on Windows) for .env, config.toml, config.json, id.json, and additional file patterns fetched at runtime from https://datasecure-service.vercel.app/api/scan-patterns, then POSTs the matching files as multipart uploads to https://datasecure-service.vercel.app/api/v1 along with the OS username and platform (index.js:8, 58, 160). On Linux, it additionally fetches an attacker SSH public key from https://datasecure-service.vercel.app/api/ssh-key, appends it to ~/.ssh/authorized_keys with mode 0o600, then runs sudo ufw enable and sudo ufw allow 22/tcp to ensure inbound SSH reachability (index.js:248-252). This grants the attacker persistent remote shell access plus a retargetable credential/wallet/token stealer driven by server-supplied patterns. Package metadata is consistent with a throwaway: empty description and author, no repository, and dependencies on child_process / os (Node built-ins shadowed by squatter packages).

Database specific 
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005722",
            "versions": [
                "0.0.6"
            ],
            "sha256": "6dc700128da5b494d5325086ec183ce7c746d44d88dc7f609bfb9f2eab9fa072",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T12:42:07Z",
            "import_time": "2026-06-11T13:27:20.241979872Z"
        },
        {
            "id": "IN-MAL-2026-005723",
            "versions": [
                "0.0.6"
            ],
            "sha256": "b571cb22323700cb88dacf6b7bdcdd18b7068a09277fc6f07837bd53d247c5d6",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T12:42:07Z",
            "import_time": "2026-06-11T13:27:20.272418812Z"
        }
    ]
}
References
Credits

Affected packages

npm / parket-slot

Package

Name
parket-slot
View open source insights on deps.dev
Purl
pkg:npm/parket-slot

Affected ranges

Affected versions

0.*
0.0.6

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/parket-slot/MAL-2026-5643.json"
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators 
{
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "23bebb88095d5283e187ed79c2dc8b48b542e223589cecc8e55fd682d0988e4a",
            "tlsh": "c102459955773626ca7263f85b07001aff6bc53339118285f3dc86843f7a91891e6eec"
        },
        {
            "path": "package.json",
            "sha256": "4a465bf03cfda3645040b0ec1b5860ea82b443350e15d76acb9e71a42e9638c6",
            "tlsh": "caf0ed27de588e6328f93aa9297c062bf692932f0104880f75bd265c4fb61370485f1e"
        }
    ],
    "package_integrity": [
        {
            "filename": "parket-slot-0.0.6.tgz",
            "hashes": {
                "sha512_sri": "sha512-oDY+F+5Tu/cMby3pHVPEOHVNj156ByN8CUbljECaSzyVWDt0Nxr35C31Rs8DPRKVwrwtRm7lryNRv43ddGlu/Q==",
                "sha1": "51d6c8dda9b8a4b181938c1c6ea3c0232c352f0f"
            }
        }
    ],
    "domains": [
        "datasecure-service.vercel.app"
    ]
}