MAL-2026-5835

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/lab-helper/MAL-2026-5835.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5835

Published

2026-06-15T21:03:46Z

Modified

2026-06-15T21:46:53.078226658Z

Summary

Malicious code in lab-helper (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9bbde4e4075983db0c5aba255bc29f84fb2536681b13e8289412cce5c3ee7a2e)

On npm install, the package's postinstall hook runs sec_check.js, which enumerates the host's network interfaces and proceeds only if an IPv4 address begins with 18.175. — a subnet-based targeting gate that hides the behavior on most developer/CI machines. When the gate passes, the script reads <INIT_CWD>/myfile.txt from the installer's working directory and uses curl -X POST to upload its contents to a hardcoded plaintext C2 at http://18.175.63.47:8080/collect. The combination of a lifecycle-script auto-execute path, network-identity targeting to evade scanners, hardcoded bare-IP exfiltration endpoint, and reading installer-side files matches a targeted supply-chain attack against a specific environment (likely an AWS/lab subnet).

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006719",
            "import_time": "2026-06-15T21:33:35.606871201Z",
            "source": "amazon-inspector",
            "versions": [
                "0.0.3"
            ],
            "modified_time": "2026-06-15T21:03:46Z",
            "sha256": "9bbde4e4075983db0c5aba255bc29f84fb2536681b13e8289412cce5c3ee7a2e"
        }
    ]
}

References

https://www.npmjs.com/package/lab-helper/v/0.0.3

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / lab-helper

Package

Name: lab-helper; View open source insights on deps.dev
Purl: pkg:npm/lab-helper

Affected ranges

Affected versions

0.*

0.0.3

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/lab-helper/MAL-2026-5835.json"

indicators

{
    "package_integrity": [
        {
            "filename": "lab-helper-0.0.3.tgz",
            "hashes": {
                "sha1": "d10b5958ebce48d6205e430edd749c2ae4c4f74c",
                "sha512_sri": "sha512-T92J8g9+0hIxUoa1uYrS01KtMNQkWwU64hRANqDgGjCvHlhtm3V4RHfgALlBdvgoouYHVli1qb/ae3qyZ0QdbQ=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "sec_check.js",
            "sha256": "d3c046a0459772dc6e6566817eb50799ae2ca7f068a1d01c625ec2d4f00eb3ba",
            "tlsh": "c31112a6458821b49cf15fe0b9351065f5b655533242ead4bcae85c60f0335043a3ff6"
        }
    ]
}