MAL-2026-5724

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/warp-dependency/MAL-2026-5724.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5724

Published

2026-06-13T02:10:04Z

Modified

2026-06-13T02:31:43.444357812Z

Summary

Malicious code in warp-dependency (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (493b3ed30d94fb482e4b9c7cf3d328ba9b307f91965783f0024ec7dca1fedb96)

warp-dependency@1.0.0 declares postinstall: node index.js in package.json. The index.js entry point is heavily obfuscated using obfuscator.io-style string-array rotation (_0x345c/_0x1de1) that hides the download URL, target filename, and the require targets (fs-extra, node-fetch, child_process). When deobfuscated, the top-level code performs downloadFile('https://recorder-our-betting-chair.trycloudflare.com/page', 'bss.exe') followed by child_process.exec('bss.exe',...), writing and running an opaque Windows executable next to the package on every install. trycloudflare.com is an anonymous ephemeral tunneling service commonly used as throwaway dropper infrastructure; the URL is unpinned and the binary is unsigned, unhashed, and unrelated to the package's stated 'Mac UI for Windows Toolkit' purpose. The package name also typosquats the legitimate 'warp' brand. Every npm install warp-dependency silently runs attacker-controlled native code on the installer's machine.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006271",
            "versions": [
                "1.0.0"
            ],
            "sha256": "493b3ed30d94fb482e4b9c7cf3d328ba9b307f91965783f0024ec7dca1fedb96",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T02:10:04Z",
            "import_time": "2026-06-13T02:23:23.07557225Z"
        },
        {
            "id": "IN-MAL-2026-006272",
            "versions": [
                "1.0.0"
            ],
            "sha256": "9f1ff50bf7658e4876b44a7476dbe5889afcf6a6facaf342fdd56a6d0fdbfa3d",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T02:10:05Z",
            "import_time": "2026-06-13T02:23:23.150823777Z"
        }
    ]
}

References

https://www.npmjs.com/package/warp-dependency/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / warp-dependency

Package

Name: warp-dependency; View open source insights on deps.dev
Purl: pkg:npm/warp-dependency

Affected ranges

Affected versions

1.*

1.0.0

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "4de80153e8bdba06a16c5a348c606aa3edc55b7fee954de9f1b063807dd00bb7",
            "tlsh": "d14115685fd423ba6b868ed35d2b0487d307cd4738f1c0d1b35068857cd111ee9a6ab6"
        }
    ],
    "package_integrity": [
        {
            "filename": "warp-dependency-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-MBsl4LQzLx9oJnU2FajYd7oeeoaZ4LapOtCippvT3I9a6e4aUrTZe8PbWH46P/hHiFlqUGSre57NLnxu0W7DNQ==",
                "sha1": "ce9411dc624ce82eec3fafc23dd65689c072d0b1"
            }
        }
    ],
    "ips": [
        "104.16.231.132",
        "104.16.230.132"
    ],
    "domains": [
        "recorder-our-betting-chair.trycloudflare.com"
    ]
}

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/warp-dependency/MAL-2026-5724.json"