MAL-2026-5798
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@resolvx/core/MAL-2026-5798.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5798
- Published
- 2026-06-15T18:00:19Z
- Modified
- 2026-06-15T19:06:35.425416979Z
- Summary
- Malicious code in @resolvx/core (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (4639df1cd39850efb8106cbc5ecf3648f386c0cc5cff6c457d90f6a4d569cef0)
On
npm install, scripts/postinstall.js connects to a hardcoded attacker IP (http://213.218.160.189:8080, fallback:80), sends a base64-encoded host fingerprint (hostname, username, platform, arch) as theqquery parameter, optionally XOR-decrypts the HTTP response with an embedded hex key, writes the decrypted bytes to a hidden file (.node_<rand>.js) under /tmp or %LOCALAPPDATA%/Temp, spawns it as a detached Node process with stdio ignored and windowsHide set, calls unref(), and deletes the staging file ~5 seconds later. The script also performs anti-analysis checks (scanstasklistfor wireshark/fiddler/procmon/x64dbg/ida), introduces a randomized 0.5–2.5s start delay, and skips execution whennpm_config_dry_runis set to evade dry-run inspection. The combination of plaintext HTTP fetch from a bare IP, payload decryption, hidden filename staging, detached background execution, and anti-analysis gating is a textbook install-time dropper that yields full code execution on the installer's machine and exfiltrates host identification to the attacker for follow-on targeting. - Database specific
{ "malicious-packages-origins": [ { "sha256": "052d246b7ece22aa1b8e1a365e8c56a7655f5bb9136c946c93491d3f45bad6fc", "source": "amazon-inspector", "modified_time": "2026-06-15T18:00:24Z", "versions": [ "2.4.2" ], "id": "IN-MAL-2026-006651", "import_time": "2026-06-15T18:54:55.97094478Z" }, { "sha256": "4639df1cd39850efb8106cbc5ecf3648f386c0cc5cff6c457d90f6a4d569cef0", "source": "amazon-inspector", "modified_time": "2026-06-15T18:00:20Z", "versions": [ "2.4.1" ], "id": "IN-MAL-2026-006650", "import_time": "2026-06-15T18:54:55.897288514Z" }, { "sha256": "c4a11c4df96cafcd14b258bbd044e008dc789bf4860930df33ce06bac5b22372", "source": "amazon-inspector", "modified_time": "2026-06-15T18:00:25Z", "versions": [ "2.4.2" ], "id": "IN-MAL-2026-006652", "import_time": "2026-06-15T18:54:56.048694099Z" }, { "sha256": "c616f535bbbe417cfb9a1e54c6c98a9a40c2631ce26c3209ab5b43bc05ae4aec", "source": "amazon-inspector", "modified_time": "2026-06-15T18:00:19Z", "versions": [ "1.0.0" ], "id": "IN-MAL-2026-006649", "import_time": "2026-06-15T18:54:55.839646457Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @resolvx/core
Package
- Name
- @resolvx/core
- View open source insights on deps.dev
- Purl
- pkg:npm/%40resolvx%2Fcore
Database specific
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@resolvx/core/MAL-2026-5798.json"
indicators
{
"evidence_files": [
{
"sha256": "bb1253d7958c76ae002b219dc29bc929ba121d910d0319ea784093bbfb969191",
"tlsh": "d45142c426f5013441a395a85baba522b27fe213b456dae4fe8c47401f45778c2f39fd",
"path": "scripts/postinstall.cjs"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-WHOJHbJtDuyq4dCVHmA0otzg/UAA4tXL+or9CAgv9geKnvuvQ64T/V2qpS2RnxTOzRK7iQCxc+/rHfMvM7tlvQ==",
"sha1": "3e28655f2756e0f0835bf0d9a7bf74dbdd9dec96"
},
"filename": "core-2.4.2.tgz"
}
],
"ips": [
"213.218.160.189"
]
}