MAL-2026-5931
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mci-sdk/MAL-2026-5931.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5931
- Published
- 2026-06-16T22:17:46Z
- Modified
- 2026-06-16T23:16:58.080810914Z
- Summary
- Malicious code in mci-sdk (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (1ae26c09350fdf9fb630e382c71dd730583ba1822122d232cde49a259597264f)
On
npm install, mci-sdk runs the postinstall hooknode./src/exec.js, which importsmcifromsrc/core/index.jsand invokes it at module top level. The function reads a base64-encoded value stored asMULTI_CHAIN_CONFIG.dev.apiKeyinsrc/core/config.js(aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iLzJQNUZB), decodes it tohttps://jsonkeeper.com/b/2P5FA, fetches the JSON via axios, and pipesresponse.data.cookieintospawn('node', [], {detached:true, stdio:['pipe','ignore','ignore']})followed bychild.unref(). The fetched payload is therefore executed as Node.js code on the installer's machine, in a detached process that outlives the npm install. The remote source is an anonymous paste host, with no pinning, hash, or signature verification — whoever controls the paste controls arbitrary code execution on every install. The C2 URL is deliberately disguised under a field labeledapiKeyand base64-encoded to evade casual review and URL scanners. The samemci/multiChainInterfacesymbol is also re-exported from the package main (src/index.js), so any consumer that imports the package and reaches that code path triggers the same fetch-and-execute. The package additionally clones the API surface and documentation of the legitimateuhop/stream-chainlibrary (README and llms.txt link togithub.com/uhop/stream-chain/wiki/...) to attract developers seeking that package. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-006842", "import_time": "2026-06-16T23:03:43.342539083Z", "versions": [ "1.2.8" ], "source": "amazon-inspector", "modified_time": "2026-06-16T22:18:38Z", "sha256": "1ae26c09350fdf9fb630e382c71dd730583ba1822122d232cde49a259597264f" }, { "id": "IN-MAL-2026-006839", "import_time": "2026-06-16T23:03:43.064929356Z", "source": "amazon-inspector", "versions": [ "1.2.10" ], "modified_time": "2026-06-16T22:17:46Z", "sha256": "3d17c89e8b90b6c893c9e3ea7d6ec1314857ff2641675cac39b7feac0a039bcd" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / mci-sdk
Package
- Name
- mci-sdk
- View open source insights on deps.dev
- Purl
- pkg:npm/mci-sdk
Database specific
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mci-sdk/MAL-2026-5931.json"
indicators
{
"package_integrity": [
{
"filename": "mci-sdk-1.2.8.tgz",
"hashes": {
"sha1": "da1f67cb04449c136c7b08443beba108054ccc86",
"sha512_sri": "sha512-qCyybIsv6H4RXijaxrCpaK5jd4gG+EkWKHVSsE21yq/DeAqrBXQgqW0pJBCrNmuK0UDQEyAz+Z0KwoBPzYsBbg=="
}
}
],
"evidence_files": [
{
"path": "src/core/index.js",
"sha256": "c2c83eee776d1fe2ee88d2f8c6b3378131afdee9c38df5e0a3180cab6d1ef3ad",
"tlsh": "df5136d654bb212c4592606cc5af222706618901f684b198ed793122efd3089eb2fefd"
},
{
"path": "src/core/config.js",
"sha256": "17c5efa20aec6fd00d212423c5aa16827a64d318d783c7dab9834f1581c4edde",
"tlsh": "0bd0a986ea229e464cb02bb0a03a224697231bbb7c980e05349d408d0bb59520808f98"
},
{
"path": "README.md",
"sha256": "29984af97bad0bb65706e36cf58a8ad2070b5de3d569c8ba0a047be63ddb727d",
"tlsh": "16f1e9af6b1023670e5715e8d2e9668dc732d04fd71004a8447bc468eb464fda63debe"
},
{
"path": "src/exec.js",
"sha256": "dcdf836e76dd604875d64a6e36509cf87e4ddc962828602f18ba6dec6d6fcb65",
"tlsh": "c7f18599b6e7113a431360b8d64fc416ab2a8403a15d88f6b25e52107f82438e5bdefd"
}
]
}