MAL-2026-5712

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/jextic-eclib/MAL-2026-5712.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5712

Published

2026-06-12T20:35:41Z

Modified

2026-06-12T21:01:43.305016360Z

Summary

Malicious code in jextic-eclib (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (13a6476409b9cb9296b7f778be375081c8ad12b030658351092e9fef90f4b707)

On npm install, the package's postinstall hook (postinstall.js) requires index.js, whose top-level scanAndExfiltrate() call walks the installer's working directory and parent directories for sensitive files (.env,.aws/credentials,.ssh/id_rsa,.npmrc,.netrc,.git-credentials, service-account.json, and similar) and POSTs their contents via execSync('curl...') to a hardcoded Discord webhook. The webhook URL is split into two base64-encoded chunks (aHR0cHM6Ly9kaXNjb3JkLmNvbS9hcGkvd2ViaG9va3Mv plus a base64-encoded webhook ID/token) and reassembled at runtime to evade simple string scanners. The combination of installer-secret enumeration, hardcoded attacker-controlled exfil endpoint, base64 obfuscation, and unconditional execution under the postinstall lifecycle hook is a textbook supply-chain credential-theft attack.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006230",
            "versions": [
                "1.0.0"
            ],
            "sha256": "13a6476409b9cb9296b7f778be375081c8ad12b030658351092e9fef90f4b707",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T20:35:41Z",
            "import_time": "2026-06-12T20:49:38.041891302Z"
        }
    ]
}

References

https://www.npmjs.com/package/jextic-eclib/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / jextic-eclib

Package

Name: jextic-eclib; View open source insights on deps.dev
Purl: pkg:npm/jextic-eclib

Affected ranges

Affected versions

1.*

1.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/jextic-eclib/MAL-2026-5712.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "af46e4470629d3beb9d161cb05ee876f38e8ab70604d69b6da0afc07af5bd725",
            "tlsh": "2d41a8f605fa1bb04467cddad60f18011297e6933224a8f0716c059c0f8ee20b6f3eac"
        },
        {
            "path": "package.json",
            "sha256": "c83d17768d6e40437fdc68b827e130ba70de18c73effe5cd2c697561c76f601e",
            "tlsh": "76e07d000d568f3325c50f5b0d26845c66225f1f0000791c2bdf106cc34e1b699ff39e"
        }
    ],
    "package_integrity": [
        {
            "filename": "jextic-eclib-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-lWPDLdhNxPBZSdUP5nkcrb5pQsDsMrPPsQzsvxPOl05dXflbgyIA38BmSI9SrHJmbyUwvxwlEtK8meMEY/F+Ng==",
                "sha1": "4c887f08f577cd599c8915dcd5532757b6ed5c08"
            }
        }
    ]
}