MAL-2026-6139
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@httpactions/encode-url/MAL-2026-6139.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6139
- Published
- 2026-06-18T18:39:23Z
- Modified
- 2026-06-18T19:31:45.923141763Z
- Summary
- Malicious code in @httpactions/encode-url (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (2e52b15ad9413185c30f84ad7e11e031c74c359e04f5c30ce502b8bc73267d8e)
The package ships a single heavily obfuscated index.js that performs no URL-encoding work despite the package name. On require() of the declared main, top-level invocation of Zt() triggers an HTTP GET to a hardcoded C2 endpoint whose URL is reconstructed from base64 fragments combined via an XOR routine (function H). The response body is written to disk via fs.writeFileSync and executed by childprocess.exec / childprocess.spawn using process.execPath (the local Node runtime). A second routine mt() POSTs host identifiers — os.hostname(), os.userInfo().username, platform, arch — to the same C2 on every load, and a setInterval re-runs the fetch-and-execute loop approximately every 615 seconds. All sensitive identifiers ('child_process', 'fs', 'exec', 'spawn', 'writeFileSync', 'hostname', 'userInfo', etc.) are concealed as base64 strings with a leading-byte strip, behind an obfuscator.io string-array dispatcher. package.json has empty description, empty author, no repository, and the module exports nothing — the only effect of installing or requiring this package is the dropper. The @httpactions scope and the encode-url name are a lure with no matching functionality.
- Database specific
{ "malicious-packages-origins": [ { "sha256": "2e52b15ad9413185c30f84ad7e11e031c74c359e04f5c30ce502b8bc73267d8e", "source": "amazon-inspector", "modified_time": "2026-06-18T18:39:23Z", "versions": [ "1.0.0" ], "id": "IN-MAL-2026-007014", "import_time": "2026-06-18T19:20:01.922795314Z" }, { "sha256": "5c9aa3e781989ddd45fd6b6d1c8eb3d0bfdd7ce29e16865593b4b6bf3d889ed8", "source": "amazon-inspector", "modified_time": "2026-06-18T18:39:28Z", "versions": [ "1.0.1" ], "id": "IN-MAL-2026-007016", "import_time": "2026-06-18T19:20:02.11522741Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @httpactions/encode-url
Package
- Name
- @httpactions/encode-url
- View open source insights on deps.dev
- Purl
- pkg:npm/%40httpactions%2Fencode-url
Database specific
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@httpactions/encode-url/MAL-2026-6139.json"
indicators
{
"evidence_files": [
{
"sha256": "f9026264d06046512d73d8d580f36b273c672cfe2b4652db59d336ca9fb40969",
"tlsh": "fa2266c53ff2b017d220247b382a5256a22f4c84774c4998e62665c4fe5a7b6f0b76dc",
"path": "index.js"
},
{
"sha256": "d09ad41537d0904ccdc70a6372a0ff25c3c5372606568f086ba82f70968f4abc",
"tlsh": "86d0a7382951553305c641120c6ea446b361df2f1044380d87db583c81dfab35cfa31d",
"path": "package.json"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-+Z/oUOu4JJyOgzPDB+WPLLXGjSXlKSu1NP1o6x9d9liP0V0gy5blpSwDyWS4jYAoBNxorLXa5nDBYie2iY1Tlg==",
"sha1": "6804b6c63a962a43d3ed4b7955f5107b3d102824"
},
"filename": "encode-url-1.0.0.tgz"
}
]
}