MAL-2026-5730

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/class-synth/MAL-2026-5730.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5730

Published

2026-06-13T07:07:30Z

Modified

2026-06-13T07:31:42.434881010Z

Summary

Malicious code in class-synth (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1aa63407d7400b4819d0739dedad0a32d9ae29b18509693c2e8763cf30275271)

class-synth is advertised as a small class/style/date utility library, but its main entry (dist/index.js) contains a hidden top-level async IIFE (__init) that fires whenever the package is required or imported. The IIFE dynamically imports node:fs, node:path, node:child_process, node:crypto, and node:https using base64-encoded module names joined at runtime to evade string scanners, and acquires process indirectly via new Function('return typeof process!== "undefined"? process: null;'). It then recursively walks process.cwd() looking for any .css file containing an @sri-hash: marker, base64-decodes that marker, and AES-256-CBC-decrypts it with a hardcoded key (split across an array of hex chunks ['a7b80b01','7e76fb52','fa527621','f76027d2','19014dfc','a59b49ae','3db97ff3','ab4a72fa']) to recover an attacker-controlled URL. The decrypted URL is fetched over HTTPS and the response body is piped directly into child_process.spawn('node', ['-'], {windowsHide: true, stdio: ['pipe','ignore','ignore'], detached: true}), so attacker-supplied JavaScript executes in the developer/CI Node process with no on-disk artifact, suppressed stdio, and a detached/unref'd child. The bundle is padded with ~750 decoy near-duplicate exports (isWithinBoundary1..200, applyPreset1..150, createSequenceStep1..250, mapOperation1..250, checkConstraint1..250) to bury the dropper near the end of the file. The C2 URL is delivered out-of-band via a planted.css file, which defeats URL-based scanning of the package itself. The combination of base64-hidden Node built-ins, split/encrypted C2 location, indirect process access, detached stdin-piped code execution, and large-scale decoy padding leaves no plausible benign reading.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006325",
            "import_time": "2026-06-13T07:25:40.068766092Z",
            "sha256": "1aa63407d7400b4819d0739dedad0a32d9ae29b18509693c2e8763cf30275271",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T07:07:31Z",
            "versions": [
                "1.0.9"
            ]
        },
        {
            "id": "IN-MAL-2026-006335",
            "import_time": "2026-06-13T07:25:40.764396146Z",
            "sha256": "cddea7ee0ae2ce582b944e02750fe4ef3628ffb98035f2c09f55add30b22c127",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T07:07:37Z",
            "versions": [
                "1.0.4"
            ]
        },
        {
            "id": "IN-MAL-2026-006324",
            "versions": [
                "1.0.8"
            ],
            "sha256": "d3739061aa7c97593fe816a49960580ab7029e83063d6d64039c1e5a8e8184af",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T07:07:31Z",
            "import_time": "2026-06-13T07:25:39.953318306Z"
        },
        {
            "id": "IN-MAL-2026-006333",
            "import_time": "2026-06-13T07:25:40.63730102Z",
            "sha256": "3fe05a486e4cce2e9eb36558714ff75d3a7ff7db300c46095087db274451ed7d",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T07:07:36Z",
            "versions": [
                "1.0.6"
            ]
        },
        {
            "id": "IN-MAL-2026-006337",
            "import_time": "2026-06-13T07:25:40.905934094Z",
            "sha256": "5208740230d7c6e9e8e5f32d1ebab45afc0154359e84d4942ecdb6e46f0f9288",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T07:07:38Z",
            "versions": [
                "1.0.7"
            ]
        },
        {
            "id": "IN-MAL-2026-006338",
            "import_time": "2026-06-13T07:25:40.977438486Z",
            "sha256": "6ea0e042a314a56ca71b97cf1c7a89d077248da659a89d33f4bc8799eda73b06",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T07:07:42Z",
            "versions": [
                "1.0.4"
            ]
        },
        {
            "id": "IN-MAL-2026-006328",
            "versions": [
                "1.0.7"
            ],
            "sha256": "64df17fa107b8703f469a612dfdc6c03dbdea562847569034c97ae29ed4f636e",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T07:07:33Z",
            "import_time": "2026-06-13T07:25:40.251900288Z"
        },
        {
            "id": "IN-MAL-2026-006336",
            "import_time": "2026-06-13T07:25:40.813933517Z",
            "sha256": "92df67dd5d501d62afce26625625d6b62f34cf568f40ae0d8f0c3bd070cfe7e5",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T07:07:38Z",
            "versions": [
                "1.0.6"
            ]
        },
        {
            "id": "IN-MAL-2026-006332",
            "versions": [
                "1.0.3"
            ],
            "sha256": "211ba697cc519cd1336ef57b17fddf0406cb1f574f96f9bde936b0a49c789aa7",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T07:07:36Z",
            "import_time": "2026-06-13T07:25:40.589206816Z"
        },
        {
            "id": "IN-MAL-2026-006334",
            "import_time": "2026-06-13T07:25:40.70724384Z",
            "sha256": "d5cff2f39d67bd1b289dd662764985194331c02ac680a57a69df36343fd6cc1a",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T07:07:37Z",
            "versions": [
                "1.0.2"
            ]
        },
        {
            "id": "IN-MAL-2026-006323",
            "import_time": "2026-06-13T07:25:39.780773321Z",
            "sha256": "db93faf02c8e1d82ad4e6016c8bdff19e3d6373e2dea7b121f0475783fccbbf8",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T07:07:30Z",
            "versions": [
                "1.0.8"
            ]
        },
        {
            "id": "IN-MAL-2026-006329",
            "versions": [
                "1.0.5"
            ],
            "sha256": "efebe9567f48ade64190acee35e050f62a1c604c4077861d248ed214bf723d02",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T07:07:34Z",
            "import_time": "2026-06-13T07:25:40.327793108Z"
        },
        {
            "id": "IN-MAL-2026-006330",
            "versions": [
                "1.0.3"
            ],
            "sha256": "4aba4e1c5927ad7b034a6fefab706397fd40df248bffb3fe43c2f4f3421bd89b",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T07:07:34Z",
            "import_time": "2026-06-13T07:25:40.4704675Z"
        },
        {
            "id": "IN-MAL-2026-006327",
            "versions": [
                "1.0.9"
            ],
            "sha256": "60238ce3fd8e5b43c795ab1c8305423e42c8e382d1a20bd470b34525034362de",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T07:07:33Z",
            "import_time": "2026-06-13T07:25:40.177746847Z"
        },
        {
            "id": "IN-MAL-2026-006331",
            "import_time": "2026-06-13T07:25:40.535685375Z",
            "sha256": "9fabcad393dcfe529708719bf7be0104fe2060900d55055eac9d2e676c1f6a40",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T07:07:35Z",
            "versions": [
                "1.0.2"
            ]
        },
        {
            "id": "IN-MAL-2026-006326",
            "versions": [
                "1.0.5"
            ],
            "sha256": "abb17afb17a74e6749e7e40905ad4963813c98bd5d4badf0a5f42ab44367f7a4",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T07:07:32Z",
            "import_time": "2026-06-13T07:25:40.127399945Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / class-synth

Package

Name: class-synth; View open source insights on deps.dev
Purl: pkg:npm/class-synth

Affected ranges

Affected versions

1.*

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "dist/index.js",
            "sha256": "324ae51677dd650b05a813f131336730fff47d1e5a0702705890b8b738b29235",
            "tlsh": "dfc300ca72a23132d32b686048bf018bf377dda0177e4481d159a2adb63441ea5b7f7d"
        }
    ],
    "package_integrity": [
        {
            "filename": "class-synth-1.0.9.tgz",
            "hashes": {
                "sha512_sri": "sha512-K8FH1SJvAl2DZCpwHRy4+HnBhc64ZfpnUTmMFaWhjaLbemwMsDrW4tn1M+5FI49sL0wVOfMOU312xazzVoXHYg==",
                "sha1": "1a4f8fef7550429fe2b83610f4c9244157275cbc"
            }
        }
    ],
    "ips": [
        "104.16.7.34",
        "10.1.0.2"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/class-synth/MAL-2026-5730.json"