MAL-2026-5859

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/setka-editor/MAL-2026-5859.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5859
Aliases
  • GHSA-4626-p8q4-554f
Published
2026-06-16T02:14:53Z
Modified
2026-06-23T07:46:21.865706651Z
Summary
Malicious code in setka-editor (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a9dd5cda5d5a0925c139a36f0ea4c69b96052ff203d7dc365ac119408ba76069)

package.json registers both preinstall and postinstall lifecycle hooks that run node callback.js, which executes automatically on npm install. callback.js collects installer-side identity and environment data — username, uid/gid, homedir, hostname, platform, cwd, local network interfaces, external IP via api.ipify.org, Node version, and CI/secret-presence flags (AWSACCESSKEYID, GITHUBTOKEN, NPMTOKEN, DOCKERPASSWORD) — and POSTs the result to a hardcoded Discord webhook (https://discord.com/api/webhooks/1516163806559076442/...). A DNS-based exfiltration fallback is also implemented. The package self-identifies as a dependency-confusion PoC and is published at version 999.0.0 to outrank private-registry packages of the same name; any build pipeline that resolves setka-editor from the public npm registry will execute the callback and leak the listed data. Regardless of stated research intent, the install-time exfiltration of installer host data and CI secret-presence flags to an attacker-controlled Discord endpoint is a real supply-chain attack against any pipeline that resolves this name.

Source: ghsa-malware (6fb29ab46c42c9962ff0c7b312d2a096be780a465764991d1861ab79fecf200a)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-16T02:14:53Z",
            "id": "IN-MAL-2026-006740",
            "source": "amazon-inspector",
            "import_time": "2026-06-16T02:23:12.169676039Z",
            "sha256": "a9dd5cda5d5a0925c139a36f0ea4c69b96052ff203d7dc365ac119408ba76069",
            "versions": [
                "999.0.0"
            ]
        },
        {
            "modified_time": "2026-06-22T16:26:26Z",
            "id": "IN-MAL-2026-007104",
            "source": "amazon-inspector",
            "import_time": "2026-06-22T16:36:58.368377006Z",
            "sha256": "349eadfbed87fb776d89d65217a281f4d259dcddfbd23a1fa087fc206bb2551a",
            "versions": [
                "999.99.99"
            ]
        },
        {
            "modified_time": "2026-06-22T16:26:37Z",
            "id": "IN-MAL-2026-007105",
            "source": "amazon-inspector",
            "import_time": "2026-06-22T16:36:58.44309686Z",
            "sha256": "f3fb9da9a52ae56ec86c3669e188d366e44f02d4c9b278d84ce6c015d4c3ee2a",
            "versions": [
                "999.9.9"
            ]
        },
        {
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "SEMVER"
                }
            ],
            "id": "GHSA-4626-p8q4-554f",
            "source": "ghsa-malware",
            "import_time": "2026-06-23T07:33:18.907579932Z",
            "sha256": "6fb29ab46c42c9962ff0c7b312d2a096be780a465764991d1861ab79fecf200a",
            "modified_time": "2026-06-23T06:10:52Z"
        }
    ]
}
References
Credits

Affected packages

npm / setka-editor

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

999.*
999.0.0
999.9.9
999.99.99

Database specific

indicators
{
    "evidence_files": [
        {
            "path": "callback.js",
            "tlsh": "2e12c6a556b1561005e347a02a1fa416327af1673756deb0bbdc43182fc1b3c93f2eba",
            "sha256": "58f088e7a9bdfcc0fce3475ad08d6b964fe704c4ef93d7a3b094fcd5db998c7c"
        },
        {
            "path": "package.json",
            "tlsh": "bae0682058155e733cd0ceeb012692592420cd07141c3d0c3b970298935eb775abb6ae",
            "sha256": "d04048417cc50a5cfc305df0200164875ee12d453ebf97529eed394048bde59a"
        }
    ],
    "package_integrity": [
        {
            "filename": "setka-editor-999.0.0.tgz",
            "hashes": {
                "sha1": "6effd8fbbd258b71201571fade147b16c5a2a289",
                "sha512_sri": "sha512-nR2hWu01oGWBZYrxY6gvi4ArsN2i/h2GRb3MhrKWnJ5yq3hgSbLl8iVesNf8IoX252LqeLtU4wxbjx0ihxMHag=="
            }
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/setka-editor/MAL-2026-5859.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]