MAL-2026-5825

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@intentsolution/database-security-scanner/MAL-2026-5825.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5825

Published

2026-06-15T20:09:28Z

Modified

2026-06-15T20:31:53.826436162Z

Summary

Malicious code in @intentsolution/database-security-scanner (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (7b1f4da3cb40cc2e1396230869d85bcc5a3c9267c0dc3c60dc297c08d1882230)

The package's main file (index.js) is heavily obfuscated using obfuscator.io-style string-array rotation, base64 fragments, and per-byte XOR decoders (e.g. H(a0) with key k=[0x70,0xa0,0x89,0x48]) that hide strings such as 'package.json', 'node_modules', '.vscode', 'npm i --silent', 'nohup', 'cd', and 'f.js'. On require(), it collects host identifiers — os.hostname(), os.userInfo().username, os.platform(), Date.now(), process.argv[1] — and beacons them as {ts,type,hid,ss,cc} to a hardcoded C2 endpoint whose host is reassembled at runtime from obfuscated constant arrays (X/z) to evade static detection. The C2 response is used to fetch a second-stage JavaScript payload via GET '<host>/f/<R>', which is written to ~/.vscode/f.js along with a fake package.json; the package then runs cd "<dir>" && npm i --silent and spawns node f.js detached (with nohup on Linux) to persist execution. A setInterval retries the beacon on failure. The package's advertised purpose ("database-security-scanner") is a cover story — package.json has empty author/description/license and no database-scanning code exists; the entire module is the dropper. Any installer that requires this package executes attacker-supplied code fetched at runtime with no hash verification, hidden staging in ~/.vscode, and detached persistence.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006703",
            "import_time": "2026-06-15T20:14:29.481675912Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-06-15T20:09:28Z",
            "sha256": "7b1f4da3cb40cc2e1396230869d85bcc5a3c9267c0dc3c60dc297c08d1882230"
        }
    ]
}

References

https://www.npmjs.com/package/@intentsolution/database-security-scanner/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @intentsolution/database-security-scanner

Package

Name: @intentsolution/database-security-scanner; View open source insights on deps.dev
Purl: pkg:npm/%40intentsolution%2Fdatabase-security-scanner

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@intentsolution/database-security-scanner/MAL-2026-5825.json"

indicators

{
    "package_integrity": [
        {
            "filename": "database-security-scanner-1.0.0.tgz",
            "hashes": {
                "sha1": "14bb7d6af08fe8999e1eef86e7288b8124ca5ed2",
                "sha512_sri": "sha512-0Kuly9nrB67uf+B/qUus+/7c5K5X2IDOirWQXC68qnphyLstNjQtmIMgX0mYZbwcekDKo6Ztaxc0+JrE6o5tog=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "d5b68484311e4039901d8a840c70d49e4332cf99181c747b08d86ddb5933fdad",
            "tlsh": "db2256c47fd1f052f360687b742b125a625f4c84731888e8e63a15c4bd2a765f1a7afc"
        },
        {
            "path": "package.json",
            "sha256": "ca112d2189a7b42c90ef9b2d0f835dcc858c9c5bfd762f39030b3bc19d06fed2",
            "tlsh": "1dd0a7201a61103315c142660d26a54772309e2f00407c0c57cf581c91dfa7368ff36c"
        }
    ]
}