MAL-2026-5740
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/2fa-exe/MAL-2026-5740.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5740
- Published
- 2026-06-13T20:15:54Z
- Modified
- 2026-06-13T20:46:41.694888417Z
- Summary
- Malicious code in 2fa-exe (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (df3ad6044ca4d17d594aa3aa0d1a75d1dbf3ebf483d0dd1b04d502277674a8cc)
Package advertises itself as an SVG fetcher/sanitizer but ships an undocumented exported factory
getPlugin()in index.js that performs an HTTPS GET to https://www.jsonkeeper.com/b/NGY3C (an anonymous, attacker-mutable JSON-paste service) and passes the response'smodelfield directly toeval(). Any consumer that callsgetPlugin()— or any tooling that mass-invokes a package's exports — executes arbitrary JavaScript fetched from a third-party paste at the moment of the call. The remote payload can change at any time without a new package release, so today's benign content provides no assurance about tomorrow's. The package name2fa-exealso has no relationship to the stated SVG-sanitizer purpose, consistent with bait/lure framing. There is no integrity check, no pinning, and no mention of this behavior in the README. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-006375", "import_time": "2026-06-13T20:33:18.791256777Z", "sha256": "acf790567380a784696688f56e72fca7d56d6992adf31b7857d34abc242d3485", "source": "amazon-inspector", "modified_time": "2026-06-13T20:15:55Z", "versions": [ "1.0.1" ] }, { "id": "IN-MAL-2026-006377", "versions": [ "1.0.0" ], "sha256": "ae22a4f75735f102ab93f3acb4d6cb97867a2244a2b1235bf3cb1313eaab30c6", "source": "amazon-inspector", "modified_time": "2026-06-13T20:15:58Z", "import_time": "2026-06-13T20:33:18.885325367Z" }, { "id": "IN-MAL-2026-006374", "versions": [ "1.0.1" ], "sha256": "d15402567a83c6520335b1f3ce315e10089c9ad19d77d7f82a6890fe3faf99e0", "source": "amazon-inspector", "modified_time": "2026-06-13T20:15:54Z", "import_time": "2026-06-13T20:33:18.750134962Z" }, { "id": "IN-MAL-2026-006376", "import_time": "2026-06-13T20:33:18.853740117Z", "sha256": "df3ad6044ca4d17d594aa3aa0d1a75d1dbf3ebf483d0dd1b04d502277674a8cc", "source": "amazon-inspector", "modified_time": "2026-06-13T20:15:58Z", "versions": [ "1.0.0" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / 2fa-exe
Package
- Name
- 2fa-exe
- View open source insights on deps.dev
- Purl
- pkg:npm/2fa-exe
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "index.js",
"sha256": "c1acda6821d5bf402ef7ccfbdc52803dcdbe2d24ae16b4450b0b2edca58393f7",
"tlsh": "e57112a8999b7095d6b1e3e447135015f55ad1672208c3d4b7acc6983fb172c90f3eec"
},
{
"path": "package.json",
"sha256": "4c81577e01faa40a0e61efa2c66d567d8b6e8e4cb020fecf543e1d9010de371d",
"tlsh": "7ae07d375e20845304f48b554b36974678120f2f11308c07317b103c83f12b344dd36d"
}
],
"package_integrity": [
{
"filename": "2fa-exe-1.0.1.tgz",
"hashes": {
"sha512_sri": "sha512-1tw86IvmoLmY/pEtArXeTfRfpKM4aVG9ddZnEBuFiH15iIyUdzlYtXx3b44gsAsJ0t7cVZ8yicxgbCoOBRqLqw==",
"sha1": "b2ed262e211075aecfb097ba0aa79aef406d87f0"
}
}
],
"ips": [
"104.16.8.34",
"104.16.5.34",
"10.1.0.2"
],
"domains": [
"34.6.16.104.in-addr.arpa"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/2fa-exe/MAL-2026-5740.json"