MAL-2026-6084
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@array-util/nodepull/MAL-2026-6084.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6084
- Published
- 2026-06-17T21:49:58Z
- Modified
- 2026-06-17T22:46:52.182172082Z
- Summary
- Malicious code in @array-util/nodepull (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (bcafb3a6336948fd12673cfe88d505e2a036afcfb5e9ee5d4b850cf982753d9b)
@array-util/nodepull@1.1.1 ships a single 19 KB obfuscated index.js as its main entry. On require()/import, the IIFE silences process error handlers via process.on('uncaughtException',...) and process.on('unhandledRejection',...), builds a URL by chained string.replace() calls to reassemble dotted host/path tokens, loads os/fs/path/childprocess plus an HTTP client, downloads a remote resource, writes the response body to path.join(os.tmpdir(), <name>) with flag 'w+', and executes the dropped file via childprocess.exec with {windowsHide: true, cwd: process.cwd()}. The string array, decoder (custom-base64 + RC4 via function c(b,d)), and control-flow flattening (obfuscator.io output, ~814 transforms per webcrack) conceal the URL, dropped filename, and exec target so URL/IP pattern scanners cannot read them. Package metadata is hollow (empty description, empty author, ISC license, no documented API; README only shows an install line and a bare require()) — there is no legitimate functionality, only the dropper. Any developer or build system that installs and require()s this package fetches and executes attacker-controlled code under the installer's UID with errors silenced.
- Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-006946", "import_time": "2026-06-17T22:38:21.248625933Z", "source": "amazon-inspector", "modified_time": "2026-06-17T21:49:58Z", "sha256": "bcafb3a6336948fd12673cfe88d505e2a036afcfb5e9ee5d4b850cf982753d9b", "versions": [ "1.1.1" ] }, { "id": "IN-MAL-2026-006947", "import_time": "2026-06-17T22:38:21.377150016Z", "source": "amazon-inspector", "modified_time": "2026-06-17T21:50:00Z", "sha256": "c171d764fc1dd7e67c3a09b1092c94ae915786d3776a1246c916f153095a92cb", "versions": [ "1.0.0" ] }, { "id": "IN-MAL-2026-006948", "import_time": "2026-06-17T22:38:21.485714871Z", "source": "amazon-inspector", "modified_time": "2026-06-17T21:50:01Z", "sha256": "e5a36af206cdff9358c1d3357469fd896fb1607d2401b6f035aaaf35451babac", "versions": [ "1.1.0" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @array-util/nodepull
Package
- Name
- @array-util/nodepull
- View open source insights on deps.dev
- Purl
- pkg:npm/%40array-util%2Fnodepull
Database specific
indicators
{
"package_integrity": [
{
"hashes": {
"sha1": "d4c9a913a0bb2abdb124751dbaba2b82d8ac0a7e",
"sha512_sri": "sha512-SbUz5aEQYG/a/oMO88Aic0Hsrnnmn3ZO3aW5U4JN7NQOog+Fj1slvi+dgIfgxsHJVmLj/SRuAZK/LonDjobZSA=="
},
"filename": "nodepull-1.0.0.tgz"
}
],
"evidence_files": [
{
"tlsh": "269297cc3bc1b0a05763b0bb7e1ba097e1b95c8d629d8849f796f454fc6c314d0a6b58",
"path": "index.js",
"sha256": "7b5b770d70e973acac39aaa3e095d699521472ed13cee94020accf76c12f6066"
},
{
"tlsh": "3ed0a7345b62543305c501520c2d90577291cf1f0004380943cb2c3c95de6b3acfa35d",
"path": "package.json",
"sha256": "78cd536760bd3efc49deaa988e9a1748ab0831ddf1ef1f768effec38c5f1d353"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@array-util/nodepull/MAL-2026-6084.json"
cwes
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]