MAL-2026-5882

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/redis-type-os/MAL-2026-5882.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5882
Aliases
  • GHSA-w3ww-qq48-r4j9
Published
2026-06-16T11:54:37Z
Modified
2026-07-08T23:46:58.727250729Z
Summary
Malicious code in redis-type-os (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8f9fefcfb296b7a9b0c08dc47f628f1987d349d5b57cc9b3c5cb2ce7e331f7e4)

Package is published as redis-type-os but all in-package references (README, docs/, CHANGELOG, repository field, author email) point to redis-om / redis-om-node by Guy Royse. dist/index.js is the upstream redis-om bundle verbatim. The only meaningful divergence from upstream is an added runtime dependency hex-type@^3.0.2 declared in package.json, which is not imported anywhere in the shipped code. The package itself contains no exfiltration, dropper, install hook, or credential-handling code; the carrier ships legitimate redis-om functionality. The supply-chain concern is two-fold: (1) the package name (redis-type-os vs redis-om) plus impersonated author identity creates confusion for developers who mistype the real package, and (2) installing it silently pulls hex-type into the dependency closure for reasons unrelated to the advertised functionality. Whether hex-type itself is benign or malicious must be evaluated separately. Routed for human review because name-similarity and author-impersonation are subjective judgments and the carrier itself executes no harmful code at install or import time.

Source: ghsa-malware (99c007b1300db882ef2517bb7c64d7ecc069ad07d404c8b56c66b846b75bab49)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific
{
    "malicious-packages-origins": [
        {
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "SEMVER"
                }
            ],
            "id": "GHSA-w3ww-qq48-r4j9",
            "source": "ghsa-malware",
            "import_time": "2026-06-16T12:53:54.974546539Z",
            "sha256": "99c007b1300db882ef2517bb7c64d7ecc069ad07d404c8b56c66b846b75bab49",
            "modified_time": "2026-06-16T11:54:37Z"
        },
        {
            "sha256": "a429d54b395e18b5f07087e988c60a17ce853d2f3d910f176a011b5f12838f2a",
            "id": "IN-MAL-2026-008630",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T21:54:10.223946717Z",
            "modified_time": "2026-07-08T21:36:09Z",
            "versions": [
                "1.0.3"
            ]
        },
        {
            "modified_time": "2026-07-08T22:57:19Z",
            "id": "IN-MAL-2026-008952",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T23:27:55.405388118Z",
            "sha256": "4dfe39b36ce7a904f089590dd694753c6134fcff8854fdbe422fc2dc972b5aea",
            "versions": [
                "1.0.6"
            ]
        },
        {
            "modified_time": "2026-07-08T23:00:36Z",
            "id": "IN-MAL-2026-008975",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T23:27:56.86015403Z",
            "sha256": "8f9fefcfb296b7a9b0c08dc47f628f1987d349d5b57cc9b3c5cb2ce7e331f7e4",
            "versions": [
                "1.0.7"
            ]
        },
        {
            "modified_time": "2026-07-08T22:59:14Z",
            "id": "IN-MAL-2026-008965",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T23:27:56.109341349Z",
            "sha256": "d4d1a4ef390b419d78c03ba48f39b39d377c0f9f2d93dcc894ad02245f70fc95",
            "versions": [
                "1.0.10"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / redis-type-os

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.0.3
1.0.6
1.0.7
1.0.10

Database specific

indicators
{
    "evidence_files": [
        {
            "path": "package.json",
            "tlsh": "ca319c23c92ace331af89265bd7a8505f172870f6150dc0f71f606ac4f7b5571469b39",
            "sha256": "b72bcb1f42ebec6728adb1d3e18f6e926e9ab1309822512a80f62dba2dcbb0df"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/redis-type-os/MAL-2026-5882.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]