MAL-2026-5859

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/setka-editor/MAL-2026-5859.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5859

Published

2026-06-16T02:14:53Z

Modified

2026-06-16T02:31:45.601822105Z

Summary

Malicious code in setka-editor (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a9dd5cda5d5a0925c139a36f0ea4c69b96052ff203d7dc365ac119408ba76069)

package.json registers both preinstall and postinstall lifecycle hooks that run node callback.js, which executes automatically on npm install. callback.js collects installer-side identity and environment data — username, uid/gid, homedir, hostname, platform, cwd, local network interfaces, external IP via api.ipify.org, Node version, and CI/secret-presence flags (AWSACCESSKEYID, GITHUBTOKEN, NPMTOKEN, DOCKERPASSWORD) — and POSTs the result to a hardcoded Discord webhook (https://discord.com/api/webhooks/1516163806559076442/...). A DNS-based exfiltration fallback is also implemented. The package self-identifies as a dependency-confusion PoC and is published at version 999.0.0 to outrank private-registry packages of the same name; any build pipeline that resolves setka-editor from the public npm registry will execute the callback and leak the listed data. Regardless of stated research intent, the install-time exfiltration of installer host data and CI secret-presence flags to an attacker-controlled Discord endpoint is a real supply-chain attack against any pipeline that resolves this name.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006740",
            "import_time": "2026-06-16T02:23:12.169676039Z",
            "source": "amazon-inspector",
            "versions": [
                "999.0.0"
            ],
            "sha256": "a9dd5cda5d5a0925c139a36f0ea4c69b96052ff203d7dc365ac119408ba76069",
            "modified_time": "2026-06-16T02:14:53Z"
        }
    ]
}

References

https://www.npmjs.com/package/setka-editor/v/999.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / setka-editor

Package

Name: setka-editor; View open source insights on deps.dev
Purl: pkg:npm/setka-editor

Affected ranges

Affected versions

999.*

999.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/setka-editor/MAL-2026-5859.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "setka-editor-999.0.0.tgz",
            "hashes": {
                "sha1": "6effd8fbbd258b71201571fade147b16c5a2a289",
                "sha512_sri": "sha512-nR2hWu01oGWBZYrxY6gvi4ArsN2i/h2GRb3MhrKWnJ5yq3hgSbLl8iVesNf8IoX252LqeLtU4wxbjx0ihxMHag=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "callback.js",
            "sha256": "58f088e7a9bdfcc0fce3475ad08d6b964fe704c4ef93d7a3b094fcd5db998c7c",
            "tlsh": "2e12c6a556b1561005e347a02a1fa416327af1673756deb0bbdc43182fc1b3c93f2eba"
        },
        {
            "path": "package.json",
            "sha256": "d04048417cc50a5cfc305df0200164875ee12d453ebf97529eed394048bde59a",
            "tlsh": "bae0682058155e733cd0ceeb012692592420cd07141c3d0c3b970298935eb775abb6ae"
        }
    ]
}