MAL-2026-5932

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/package-uploader/MAL-2026-5932.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5932

Aliases

GHSA-q8q6-p47p-ppp3

Published

2026-06-16T22:18:21Z

Modified

2026-06-26T05:46:26.135458890Z

Summary

Malicious code in package-uploader (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (69b86134d9cd019c2d8ad172eed54cd4a48839d69ed2c6af52b79ef5080da765)

package-uploader@1.3.25 ships an install-hook.js that runs automatically as the npm postinstall script (package.json declares "postinstall": "node install-hook.js"). The hook embeds a 383KB base64 string (LAUNCHERBINBASE64), XOR-decrypts it with key 0x42, writes the result to %TEMP%/tmp_<timestamp>.exe, and launches it detached via spawn('cmd', ['/c', 'start', '/b', TEMP_EXE], { detached: true }) — a classic obfuscated-binary dropper executed on every npm install. After dropping the payload, a detached cleanup process waits ~90 seconds and then edits the victim's package.json and package-lock.json to remove the dependency entry (the cleanup code references the name mailconfirmer, indicating the campaign re-publishes under rotating names) and recursively deletes the installed module directory; if direct deletion fails, it registers a Windows scheduled task via schtasks /create to remove the directory later. The package's stated purpose is a UI navbar library and the index.js entry point exports only theme colors as a decoy — completely unrelated to executing a Windows binary. The combination of name/description/decoy-main mismatch, embedded XOR-encrypted PE payload, automatic postinstall execution, and anti-forensics manifest tampering is an unambiguous supply-chain dropper.

Source: ghsa-malware (bff6fcd6a006b2e192444a5bc9d243bf488093447d2b4aa211eddba43d0236c2)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.3.25"
            ],
            "modified_time": "2026-06-16T22:18:21Z",
            "sha256": "69b86134d9cd019c2d8ad172eed54cd4a48839d69ed2c6af52b79ef5080da765",
            "id": "IN-MAL-2026-006841",
            "source": "amazon-inspector",
            "import_time": "2026-06-16T23:03:43.198691643Z"
        },
        {
            "source": "ghsa-malware",
            "modified_time": "2026-06-26T05:13:26Z",
            "sha256": "bff6fcd6a006b2e192444a5bc9d243bf488093447d2b4aa211eddba43d0236c2",
            "id": "GHSA-q8q6-p47p-ppp3",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2026-06-26T05:41:02.347225497Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / package-uploader

Package

Name: package-uploader; View open source insights on deps.dev
Purl: pkg:npm/package-uploader

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.3.25

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-eJeECikvclcXLrhZnUvICQJdNBhahC1eYEc9CH4Bv7nExw/RYY/DbpM9E1izB4jzAsUDMKxJL2XGU1rD85Z7dA==",
                "sha1": "35032eb815e35d5114c0659501e6cf8cf05371fa"
            },
            "filename": "package-uploader-1.3.25.tgz"
        }
    ],
    "evidence_files": [
        {
            "path": "install-hook.js",
            "tlsh": "d5846ce18d4c1549a7288be1e69fe6e06ce236027854e5d87fcc79ca03389b76d650cf",
            "sha256": "a1091c132f65787aa89cc2e3a689d4ccfbc31af88577615590f76daa204c0d66"
        },
        {
            "path": "package.json",
            "tlsh": "74d0951fce5152332074cf945c6e171e77120f2e11a05c07707700d84191bf1442f70a",
            "sha256": "fa5bd0928b7bf428ee95ee049643424cbff05d4d69852632ca1c07b56cb60197"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/package-uploader/MAL-2026-5932.json"