MAL-2026-5922
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@kalipto/local/MAL-2026-5922.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5922
- Published
- 2026-06-16T20:07:17Z
- Modified
- 2026-06-16T21:16:47.393533752Z
- Summary
- Malicious code in @kalipto/local (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (f887073dda96085d83a06048f0010c3e6bef58c035579649a0f1ae6cad66828f)
The package is a purpose-built remote-control agent. On startup (when the bin is invoked with
--token, e.g.npx @kalipto/local --token...), index.js opens a plaintext WebSocket connection to ws://api.kaliptosal.dev:3001 and sends a register message containing the host'sprocess.env.HOSTNAME,process.platform, and the supplied token (index.js:27-34). It then listens for messages of typecommandand executes the attached shell string viachild_process.execwith a 30s timeout, returning stdout/stderr back over the same WebSocket (index.js:43-58). The operator of api.kaliptosal.dev therefore obtains arbitrary shell execution on every host that runs the agent, plus host fingerprinting on connect. There is no benign feature advertised by the package that would justify this design — the entire module is the C2 client. Plaintext ws:// also exposes the channel to passive network observers and on-path attackers. - Database specific
{ "malicious-packages-origins": [ { "sha256": "7bc21bad10e53c1a470a85fbb0b9d7ca73f5acf6bfe5e0d1096f093636a65c1f", "source": "amazon-inspector", "modified_time": "2026-06-16T20:07:18Z", "versions": [ "1.0.0" ], "id": "IN-MAL-2026-006834", "import_time": "2026-06-16T21:06:47.639502137Z" }, { "sha256": "e564c571c59210776c36ccf981ad7f94cb6975be96ecca9b780b96d7e6896793", "source": "amazon-inspector", "modified_time": "2026-06-16T20:07:23Z", "versions": [ "1.0.2" ], "id": "IN-MAL-2026-006836", "import_time": "2026-06-16T21:06:47.826496368Z" }, { "sha256": "e79377759686435b61cf07c8f77643c83a96cbe9344669d9020e877148a952b9", "source": "amazon-inspector", "modified_time": "2026-06-16T20:07:17Z", "versions": [ "1.0.3" ], "id": "IN-MAL-2026-006833", "import_time": "2026-06-16T21:06:47.56023077Z" }, { "sha256": "f887073dda96085d83a06048f0010c3e6bef58c035579649a0f1ae6cad66828f", "source": "amazon-inspector", "modified_time": "2026-06-16T20:07:18Z", "versions": [ "1.0.1" ], "id": "IN-MAL-2026-006835", "import_time": "2026-06-16T21:06:47.744694468Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @kalipto/local
Package
- Name
- @kalipto/local
- View open source insights on deps.dev
- Purl
- pkg:npm/%40kalipto%2Flocal
Database specific
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@kalipto/local/MAL-2026-5922.json"
indicators
{
"evidence_files": [
{
"sha256": "f849579db348cd0a556bf3e5400fc0ed689db311ae6f57d707a6035187661cfc",
"tlsh": "8d31ef0198fc952412fb1859dd47b853342a54132f4cfb1477ec569a5fca5b864b33d8",
"path": "index.js"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-ohH+yJGhVyBl2YJRKaeb+zqg8fO6fX0kshwT1Zhi45amw+z918jTQTLsoIWXqQLRO3szRI+o7rsiT7D/aSqV/g==",
"sha1": "a239673e2826f8882907717d5a076c71d7c9436c"
},
"filename": "local-1.0.0.tgz"
}
]
}