MAL-2026-5973

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/classbreeze-utils/MAL-2026-5973.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5973
Aliases
  • GHSA-gj7f-m4cx-vmx3
Published
2026-06-17T04:18:32Z
Modified
2026-07-08T23:01:47.159938700Z
Summary
Malicious code in classbreeze-utils (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e19daf4f946816f5ba3c6e592eacc980861b281c6752b738de57fdd31f49279d)

The package masquerades as a Tailwind plugin: README and the top of src/index.js are a verbatim clone of @tailwindcss/typography (require('tailwindcss/plugin'), prose-* class generator), even though the package name has no relationship to Tailwind. Appended after the cloned plugin code at src/index.js:124+ is a heavily obfuscated IIFE using an RC4-decoded string array and AES-decipher key table to hide its strings and control flow. The decoded action table contains keys 'cmd.npx', 'cmd.npxwin', 'pkg.link', 'cmd.install', 'flag.yes', which are consumed by helpers that call childprocess.spawn with detached:true, stdio:'ignore', windowsHide:true and creationFlags set to DETACHEDPROCESS to silently run npx -y <pkg.link>, fetching and executing an attacker-controlled package from the npm registry on the developer's machine. On Windows an additional path uses keys 'ext.vbs', 'vbs.tag', 'win.wscript': a VBS file is written to os.tmpdir() with a crypto.randomBytes(4) hex prefix and launched via wscript.exe (detached, windowsHide), followed by process.exit(0), to hide the dropper invocation from the console. The action table also contains 'env.api' and 'api.base' entries, and the spawn helper clones process.env and injects api.base as the env.api value into the child, so the downstream npx-fetched package receives a C2/telemetry endpoint via environment. Because require('classbreeze-utils') is the plugin entry point loaded by any Tailwind build that adds it, the dropper fires automatically as soon as a build that depends on it runs, executing arbitrary attacker-controlled code on the developer/CI machine.

Source: ghsa-malware (cd3cdd1459bd1dce092c75b17f3940659f740a4efe533ba30b345976cef97736)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "0.7.8"
            ],
            "id": "IN-MAL-2026-006874",
            "modified_time": "2026-06-17T04:18:32Z",
            "import_time": "2026-06-17T05:45:41.612565844Z",
            "sha256": "bd50696fc7ff4ed1899df5a40dc90cbb7b5480f083bca92a2272884d7540783e",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "0.7.10"
            ],
            "id": "IN-MAL-2026-007020",
            "import_time": "2026-06-18T19:20:02.515827648Z",
            "sha256": "50647f0da027926236690384c4a16284d0625f569870e1d27bb6bc9213b72c00",
            "modified_time": "2026-06-18T19:08:20Z",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "0.7.9"
            ],
            "id": "IN-MAL-2026-007021",
            "import_time": "2026-06-18T19:20:02.59350664Z",
            "sha256": "e19daf4f946816f5ba3c6e592eacc980861b281c6752b738de57fdd31f49279d",
            "modified_time": "2026-06-18T19:08:26Z",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "0.7.10",
                "0.7.9",
                "0.7.8",
                "0.7.7"
            ],
            "id": "GHSA-gj7f-m4cx-vmx3",
            "import_time": "2026-07-06T18:54:03.597032315Z",
            "modified_time": "2026-07-06T18:52:12Z",
            "sha256": "cd3cdd1459bd1dce092c75b17f3940659f740a4efe533ba30b345976cef97736",
            "source": "ghsa-malware"
        },
        {
            "versions": [
                "0.7.7"
            ],
            "id": "IN-MAL-2026-008832",
            "import_time": "2026-07-08T22:51:25.659911688Z",
            "modified_time": "2026-07-08T22:39:45Z",
            "sha256": "9d396f3d8936c43784581b15824f4aeafecc325ef03d53d28116764772c2aab8",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / classbreeze-utils

Package

Affected ranges

Affected versions

0.*
0.7.7
0.7.8
0.7.9
0.7.10

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "7382e8c436d2b0a0527712731b9b90e9e23998c3780d788bf07cb29dbf1866cd7a1d59",
            "sha256": "538bc398c34413de4c95370b4a06405179639d4d0ef5002bf575805ffc7190fa",
            "path": "src/index.js"
        },
        {
            "tlsh": "e76283a5cd62eff23b3380a663cb905ab713934f85105a827dac915c2fcd7da41ad58c",
            "sha256": "5c456cc04b8dfa3f97324ed7b306a5962bf3cc10ba0f635ee20e7494c8f813ec",
            "path": "README.md"
        }
    ],
    "package_integrity": [
        {
            "filename": "classbreeze-utils-0.7.8.tgz",
            "hashes": {
                "sha512_sri": "sha512-nu2NX6KDxPbRbHr5E/9wlvLAjgHMxbdrp91zQnL+bswKJ3Z8HAdX8krXvrrndLUX3mUMhbhcW+MztkFdHoDiyw==",
                "sha1": "81b2021c8bdfa0a97e5dd23bbd61ca373119b04a"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/classbreeze-utils/MAL-2026-5973.json"