MAL-2026-5790

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ldpbootstrap-jquery/MAL-2026-5790.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5790

Published

2026-06-15T15:53:31Z

Modified

2026-06-15T17:31:48.385830230Z

Summary

Malicious code in ldpbootstrap-jquery (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (bcab02ae44d1604b6fa9e80156a8c5882f7a4809470ff59eb6d14db4bf28f91f)

ldpbootstrap-jquery ships and executes an obfuscated Windows PowerShell payload as part of its documented usage. The package contains dist/ps1-stub.enc.hex, an 8KB opaque hex-encoded blob, and dist/bootstrap.js decrypts it with a hardcoded XOR key (f633ffeeffbbc09da9f2b477e1183294), writes the decrypted PS1 to %LOCALAPPDATA%\Landpage<ps1FileName>, and invokes it via powershell.exe -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -File <path> — explicitly bypassing execution policy and hiding the window. bootstrap.js also fetches a session-specific PS1 over plain HTTP from a consumer-configured apiBase (README example: http://192.168.1.143:3001) using MSXML2.ServerXMLHTTP with session/fingerprint headers, then writes and executes it via the same hidden PowerShell flow. The README explicitly documents AV evasion as a design goal, referencing docs/HTA-AV-HYGIENE.md and describing per-session XOR key derivation in an HTA context for MSI delivery. The shipped encrypted blob, hardcoded decryption key, hidden-window/policy-bypass PowerShell execution, and author-documented anti-virus evasion together constitute malware-distribution infrastructure. Although the harmful flow is invoked through the package's API rather than auto-running on npm install or require(), any developer using the package as documented will execute attacker-shaped, AV-evading PowerShell on Windows endpoints.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006504",
            "import_time": "2026-06-15T17:22:46.315326912Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.10"
            ],
            "modified_time": "2026-06-15T15:53:37Z",
            "sha256": "081cd4ae661f00aaa38c17590d935425f436c732eecba4af50d227c8f4879554"
        },
        {
            "id": "IN-MAL-2026-006497",
            "import_time": "2026-06-15T17:22:45.807868228Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.15"
            ],
            "modified_time": "2026-06-15T15:53:33Z",
            "sha256": "0fd0758eaec7ae489cbbaf58b250db2efc14607c06c2774f2fe7bf64782769fc"
        },
        {
            "id": "IN-MAL-2026-006499",
            "import_time": "2026-06-15T17:22:45.950707405Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.11"
            ],
            "modified_time": "2026-06-15T15:53:35Z",
            "sha256": "67a1d48a2560b4d157c03265d3445ead2ecff56c91769c4fc45e5d8ec06affe8"
        },
        {
            "id": "IN-MAL-2026-006496",
            "import_time": "2026-06-15T17:22:45.748409491Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.13"
            ],
            "modified_time": "2026-06-15T15:53:31Z",
            "sha256": "6f7b8473f32885d965ba7f36c7dd2dca9789a87db43949e35988d75f1926d299"
        },
        {
            "id": "IN-MAL-2026-006502",
            "import_time": "2026-06-15T17:22:46.196747908Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.10"
            ],
            "sha256": "71957c93a274979ca6de0d40b51e8bd32d85592e6a77debf32439c936632cd26",
            "modified_time": "2026-06-15T15:53:36Z"
        },
        {
            "id": "IN-MAL-2026-006498",
            "import_time": "2026-06-15T17:22:45.873707494Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.11"
            ],
            "sha256": "bcab02ae44d1604b6fa9e80156a8c5882f7a4809470ff59eb6d14db4bf28f91f",
            "modified_time": "2026-06-15T15:53:34Z"
        },
        {
            "id": "IN-MAL-2026-006503",
            "import_time": "2026-06-15T17:22:46.271673155Z",
            "versions": [
                "1.0.9"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-15T15:53:36Z",
            "sha256": "e1bb4fb444cd0d88009ae97fe127905df0eb1b09436f89e2d4625cbabaab85b4"
        },
        {
            "id": "IN-MAL-2026-006501",
            "import_time": "2026-06-15T17:22:46.122263011Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.9"
            ],
            "modified_time": "2026-06-15T15:53:36Z",
            "sha256": "f10a9875281cbae30c18a5f6a8bcdfd9b4be989a35b7122aff4d7653ca47a20e"
        },
        {
            "id": "IN-MAL-2026-006500",
            "import_time": "2026-06-15T17:22:46.030975661Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.13"
            ],
            "modified_time": "2026-06-15T15:53:35Z",
            "sha256": "0cfe4fa0ac12c2797913fee881e32d32bd0ea715222b3ae9bdfd1fb4bd538139"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / ldpbootstrap-jquery

Package

Name: ldpbootstrap-jquery; View open source insights on deps.dev
Purl: pkg:npm/ldpbootstrap-jquery

Affected ranges

Affected versions

1.*

1.0.9

1.0.10

1.0.11

1.0.13

1.0.15

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ldpbootstrap-jquery/MAL-2026-5790.json"

indicators

{
    "package_integrity": [
        {
            "filename": "ldpbootstrap-jquery-1.0.15.tgz",
            "hashes": {
                "sha1": "dc1c169a507ea510728679a0134e473b73ba27ec",
                "sha512_sri": "sha512-kJwOG4O/rq8mwAfFqLFKSUI8VILB7ImHgoginSRF10O+KwVsjDV/41LrW+bV5FRcvyeY1Q+2vKW9MDUCG0O6Mg=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "dist/bootstrap.js",
            "sha256": "e284cf76d838fba3aa5080d323a304524da79f2d43ab87f6259c6cb5cf553b06",
            "tlsh": "edc1e64435d1f96a635259b1a6ffc100a136790a346dc231e7d0f59f788a2b8cb3eec9"
        },
        {
            "path": "dist/bootstrap-loader.min.js",
            "sha256": "7ec5a4c93df0a1e33fe80c24a58b34c07c6014ed9c7bccd20e75af911fb69f83",
            "tlsh": "4311ef083ad2987a539700e5b4bfc14ab0322e21450dd120d6c6cda83c69d9ec537eec"
        },
        {
            "path": "README.md",
            "sha256": "b856604c5578fd4839b2923683612a27b7b509a34675da07463b57544cc0d9dd",
            "tlsh": "8d4163a98fd11149c831c387709b6db0cae7709559c870adcbdeb329452d9a3a23f707"
        }
    ],
    "ips": [
        "104.16.5.34"
    ]
}