MAL-2026-6097

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/roblox-api-client/MAL-2026-6097.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6097

Published

2026-06-18T04:07:15Z

Modified

2026-06-18T05:46:38.641070812Z

Summary

Malicious code in roblox-api-client (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (06fae89087d7a50d6397199d5fe1d5fc925c7c353e72a7f8a84e9aeca08224e6)

On npm install, postinstall.js fetches http://betterminecraft.fun/nettspend.bat over plain HTTP, writes it to the OS temp directory, and executes it via cmd /c on Windows (postinstall.js line 7 hardcodes the URL; line 15 spawns the temp file with windowsHide: true). The destination domain is unrelated to the package's stated purpose (a Roblox API client), the URL is mutable and unpinned, no hash or signature verification is performed, and the transport is cleartext HTTP — the operator can swap the served bytes at will. package.json metadata is placeholder-only (author: your-name, repo github.com/your-username/roblox-api-client), consistent with a hit-and-run squat rather than a legitimate publisher. This is a textbook install-time RCE dropper: any Windows developer running npm install roblox-api-client silently executes attacker-controlled code under their user account.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "06fae89087d7a50d6397199d5fe1d5fc925c7c353e72a7f8a84e9aeca08224e6",
            "source": "amazon-inspector",
            "modified_time": "2026-06-18T04:07:15Z",
            "id": "IN-MAL-2026-006973",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2026-06-18T05:42:06.035939061Z"
        }
    ]
}

References

https://www.npmjs.com/package/roblox-api-client/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / roblox-api-client

Package

Name: roblox-api-client; View open source insights on deps.dev
Purl: pkg:npm/roblox-api-client

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/roblox-api-client/MAL-2026-6097.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "f51927f48193e74b892ea70f9bce90650da8a1bcc561619bb25c4f23e5a65cdc",
            "tlsh": "70f0acd50ef3623061b260d0a3a1591aa633c0123281ced0b4cc54405fd36b99ef1be8",
            "path": "postinstall.js"
        },
        {
            "sha256": "e1f0aa169674a1977736907b87705981e8b2438290d475735cd12e2cfa0bec81",
            "tlsh": "5b012434c5648a7329d462949d7a2453a96a0c07841abc0c23d7216c8b9d6af51bd6bf",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-YoxD4uxP/HGGEJvCICTQSK9XYbMm6Kv5pxrwgo4G5nCwcp0/qZrkdybqjbfSJCWeRQdx/P/cadtI2CETWL+REw==",
                "sha1": "b3db3d0b3ad3777bc40fffb4fb5276ed579b60ee"
            },
            "filename": "roblox-api-client-1.0.0.tgz"
        }
    ]
}