MAL-2026-5938

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/speed4/MAL-2026-5938.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5938

Published

2026-06-16T23:42:21Z

Modified

2026-06-17T00:16:41.997457431Z

Summary

Malicious code in speed4 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (979f38f25a707a09a4469b3dd0f24c603e2d9a195eaaa9b2a9ea3d84076dc9d0)

speed4@1.1.7 is part of a self-cloning namespace-squatting family. The tarball contains auto-publish.sh which sets BASE="speed", TOTAL=5, copies the package contents into tmp_speedN directories, rewrites package.json.name to speed1..speed5, and runs npm publish --silent for each variant. Nested leftover directories tmp_speed3/tmp_speed2/tmp_speed1/ shipped inside the tarball confirm the script has been executed at least three times and that all five speedN packages distribute identical content. Package metadata is consistent with a squat: generic short name, "description": "package", empty author field. The served content is a deceptive HTML page (index.html) that advertises a 'Riverbend Tutoring' brand while registering first-gesture click/keydown/touchstart handlers that call window.open('https://abdct.com/', '_blank', 'noreferrer') to redirect visitors to an unrelated third-party domain. The tarball additionally bundles a dozen heavily obfuscated JavaScript assets under assets/ (hex-identifier renamed, single-line minified) duplicated across the nested clone directories. Installing or pulling this package into a build hands the consumer an attacker-controlled deceptive payload bundled under multiple confusable short names on the registry.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.1.7"
            ],
            "modified_time": "2026-06-16T23:42:21Z",
            "sha256": "979f38f25a707a09a4469b3dd0f24c603e2d9a195eaaa9b2a9ea3d84076dc9d0",
            "id": "IN-MAL-2026-006859",
            "source": "amazon-inspector",
            "import_time": "2026-06-17T00:00:53.865444756Z"
        }
    ]
}

References

https://www.npmjs.com/package/speed4/v/1.1.7

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / speed4

Package

Name: speed4; View open source insights on deps.dev
Purl: pkg:npm/speed4

Affected ranges

Affected versions

1.*

1.1.7

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-wEpnpbfiKpWvD+yv1I0vQHoDYe+7OR3SA2TXtLv9W6LUUHDOKmEpO1l91FHegWrluPoesdcbGBE+f9TXQSo7Fw==",
                "sha1": "5d01c43f73f1713e02227866c7fe9e15e9deb2b2"
            },
            "filename": "speed4-1.1.7.tgz"
        }
    ],
    "evidence_files": [
        {
            "path": "auto-publish.sh",
            "tlsh": "b0f0dd85a6ae0d143d1f04ff6a8700d95647d32a54abba80e1c252d59ed2616b4078c8",
            "sha256": "3e4fdc22ab24745f0c64523657eb9bee1ce81d4174a1ba665ed551ffa59998c5"
        },
        {
            "path": "index.html",
            "tlsh": "2d226507fee295325673112dbb2a7180ff31810b62158d44b9ed539c2f06a6ac7f36ad",
            "sha256": "f184e7a00feeeb351e64f9d6ced030eb58efa8493c49b081dee9b3c0fc46b23c"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/speed4/MAL-2026-5938.json"