MAL-2026-5884

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vortnode/MAL-2026-5884.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5884
Published
2026-06-16T14:04:12Z
Modified
2026-06-16T14:31:47.623435829Z
Summary
Malicious code in vortnode (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (43b7aa0683f0462d98c9ab789942e329e1298af3f85c0bd3a9b3761f5aebf8fb)

On npm install, the preinstall hook (node lib/setup.js) runs on Windows and invokes lib/worker.js, which downloads an executable to %LOCALAPPDATA%\Temp (or %TEMP%) under Microsoft-update cover names (msedge_update, chrome_installer, dotnet_host, onedrive_setup, teams_update) and silently executes it via spawn(fp, [], { detached: true, stdio: 'ignore', windowsHide: true }) followed by ch.unref(). The download URL is XOR-decoded at runtime from opaque buffers carried in the foldmap dependency, with a fallback chain of https → curl.exebitsadmin to maximize delivery; TLS verification is disabled (rejectUnauthorized: false); the Mark-of-the-Web :Zone.Identifier ADS is stripped before execution. All sensitive identifiers in lib/worker.js (https, child_process, spawn, curl.exe, bitsadmin, powershell.exe, :Zone.Identifier, env vars, cover filenames) are constructed with String.fromCharCode(...) to evade signature scanning. The package's advertised index.js API (spawn/kill/list/has) is a decoy never referenced by the install path. Any developer or CI runner installing vortnode on Windows executes attacker-controlled code as the current user.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "43b7aa0683f0462d98c9ab789942e329e1298af3f85c0bd3a9b3761f5aebf8fb",
            "id": "IN-MAL-2026-006750",
            "modified_time": "2026-06-16T14:04:12Z",
            "versions": [
                "1.2.0"
            ],
            "import_time": "2026-06-16T14:19:04.208207673Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / vortnode

Package

Affected ranges

Affected versions

1.*
1.2.0

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "735629457e653eee260ed6541b39c4d5389c8ed43b22963cab3c45ad5a7f5076",
            "tlsh": "43f1b0b566f60e36e523b0bc8e6e901906edf46334c4d0e4f5ece5022fbd56438249b8",
            "path": "lib/worker.js"
        },
        {
            "sha256": "dd078b8d6b8c4349c631ba301f93daee764d4a6c0608ecc05fd5fca2dc15c6f6",
            "tlsh": "d5f05c36cc75997330c4b6ba5d6b410325b10d5b0188b91c92db101847dd31b64ff52d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "vortnode-1.2.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-NzGBg68rVjjNRk0j981d9/1p8kKGKBjKoGH+szbwwEnlfLz2BltcfGwgihu//qBwrUAywNIFfVbZWcFY0in8qA==",
                "sha1": "d3471ad03ae9336c253b032d39993b3c363dc986"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vortnode/MAL-2026-5884.json"