MAL-2026-5896

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/jest-test-plugin-utils/MAL-2026-5896.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5896

Published

2026-06-16T15:37:20Z

Modified

2026-06-16T16:16:47.922937697Z

Summary

Malicious code in jest-test-plugin-utils (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3f948eff13632557a65152c587b6aa87783e49cf40504aedca8ee15da6ed205e)

The package advertises itself as a Jest plugin (name: 'jest-test-plugin-utils', description: 'mqtt utils') but ships no Jest or MQTT functionality. Its main entry dist/index.js is a heavily obfuscated 200KB browserify bundle (obfuscator.io fingerprint: 1299-entry rotated string array, decoder wrapper, control-flow flattening; built with the declared devDependency 'gulp-javascript-obfuscator'). After deobfuscation, the only meaningful behavior is a function loadFilbetScriptSilently() (exposed as window.fetchFilbetScript) that creates a <script> element with src='https://cdn.jsdelivr.net/gh/gongben2024/network-security@main/src/filbet.js' and appends it to document.head, executing whatever code the author hosts at that mutable @main branch. The destination repository is named 'network-security' under author 'gongben2024' and is unrelated to the package's stated purpose. Because the reference is to the @main branch (not a pinned commit/tag), the author can change the executed payload at any time without republishing this package. Any application that bundles or imports this module will execute attacker-controlled JavaScript in the browser context, with full access to the host page's DOM, cookies, and storage. The combination of name camouflage, heavy obfuscation, and unpinned remote-script execution is a deliberate supply-chain attack pattern.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "3f948eff13632557a65152c587b6aa87783e49cf40504aedca8ee15da6ed205e",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-16T15:37:24Z",
            "id": "IN-MAL-2026-006765",
            "import_time": "2026-06-16T16:06:34.427097256Z"
        },
        {
            "id": "IN-MAL-2026-006764",
            "import_time": "2026-06-16T16:06:34.332185997Z",
            "sha256": "54c5196f3361da72dfccd2c8abb0caba132415f9907602c5a6ec92d6da2e077f",
            "modified_time": "2026-06-16T15:37:23Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.2"
            ]
        },
        {
            "sha256": "bb80fa98045e0dd75514425f419aa986e7e57bfa888d8baaa8c5eb0016418f83",
            "versions": [
                "1.0.1"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-16T15:37:30Z",
            "id": "IN-MAL-2026-006766",
            "import_time": "2026-06-16T16:06:34.568829617Z"
        },
        {
            "id": "IN-MAL-2026-006763",
            "import_time": "2026-06-16T16:06:34.127682958Z",
            "sha256": "f5445eba984ab32829120583a68c6bfc2fa8aec2f875b506c873de598f1d27d1",
            "modified_time": "2026-06-16T15:37:20Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.4"
            ]
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / jest-test-plugin-utils

Package

Name: jest-test-plugin-utils; View open source insights on deps.dev
Purl: pkg:npm/jest-test-plugin-utils

Affected ranges

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.4

Database specific

indicators

{
    "package_integrity": [
        {
            "filename": "jest-test-plugin-utils-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-ipOiWo9EBBPkhnInqSV4Se9fDI6iUR/13dKvtt04vFctEePsyzs2NuYD4JAkmm/jZw7gpc7hDbyCvCBjIWlK2Q==",
                "sha1": "b8a42abd71c8e56f7560f015cdc53596b0f9b476"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "a61584375c14c072e01ec862ed28d36ff0157245a5b195229da9dafa8946a040",
            "tlsh": "e514404077c0b844538b1fba766fb4e5e46b1de934c4090bc515fca0f5baa26fae2934",
            "path": "dist/index.js"
        },
        {
            "sha256": "b152b66b1f3a7e2634d7dcdb3cf45409e2fa55d9770b061f6f6f5c92db06f513",
            "tlsh": "fdf02734dd71987306e820e51c682167e0709d2bc245fd1c33c7140c4a5f2eb64be6ac",
            "path": "package.json"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/jest-test-plugin-utils/MAL-2026-5896.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]