MAL-2026-6079

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/set-proto-chain/MAL-2026-6079.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6079

Published

2026-06-17T21:38:59Z

Modified

2026-06-17T22:01:48.792756558Z

Summary

Malicious code in set-proto-chain (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (bdb11eef3afbfc268bd48a18737884246861c7ae9e6a3d29901ae1379216c633)

lib/index.js contains a base64-encoded URL (decoding to https://jsonkeeper.com/b/BN77K, an anonymous mutable paste host) that is fetched via axios.get; the response's .data.cookie field is then written to the stdin of a detached node child process for execution. The top-level index.js calls getThetaInterface() unconditionally, and package.json declares postinstall: node index.js, so the fetch-and-execute path fires automatically on npm install as well as on require(). The fetched payload is attacker-controlled and can change at any time. The package additionally impersonates the legitimate proto-chain package (README header # proto-chain, runtime error messages referencing require('proto-chain')), making accidental installs more likely.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "bdb11eef3afbfc268bd48a18737884246861c7ae9e6a3d29901ae1379216c633",
            "source": "amazon-inspector",
            "modified_time": "2026-06-17T21:38:59Z",
            "versions": [
                "1.0.3"
            ],
            "id": "IN-MAL-2026-006943",
            "import_time": "2026-06-17T21:42:18.106575788Z"
        }
    ]
}

References

https://www.npmjs.com/package/set-proto-chain/v/1.0.3

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / set-proto-chain

Package

Name: set-proto-chain; View open source insights on deps.dev
Purl: pkg:npm/set-proto-chain

Affected ranges

Affected versions

1.*

1.0.3

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/set-proto-chain/MAL-2026-6079.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "72a8a52cbb98921b689173423a2970d414fd2c32e3a5aea47db7be9550024a10",
            "tlsh": "46f0275b317b63781f700de0d53289364d43d020f582d1e4648e80579a8b647044aeec",
            "path": "lib/index.js"
        },
        {
            "sha256": "ce924b408f4f3fc6200295dc9c5a8083a6bf5802872cb8cf7c495d1d1b9ee6d5",
            "tlsh": "0d21bb21e4e2aca307e5526a3c2e52573191d917898bfc0cb3aa034c8f5c63b92f825d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-WFO6/fFWU5IiKgDwkGONGAKSeUtksNNXWJcqoc+yCPksqQXvztZoHwxDVZf5UhKyW1a56N2cecJJEZQi2inqAg==",
                "sha1": "cc8af25f10faa1ecdd3bd6e4d22164b63e361e7e"
            },
            "filename": "set-proto-chain-1.0.3.tgz"
        }
    ]
}