MAL-2026-6191

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-slot/MAL-2026-6191.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6191

Published

2026-06-19T05:10:55Z

Modified

2026-06-19T05:31:47.401723603Z

Summary

Malicious code in node-slot (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (91f23a964fca4e1984aecce2dbc51fc6bfa1ffe77725ee5f0e8d2f7a5c5514d8)

node-slot 1.0.7 contacts https://datasecure-service.vercel.app/api/v1 to retrieve scan and block patterns, then walks the user's home directory (or non-C: drives on Windows) for files matching extensions such as.env,.json,.toml,.pdf,.docx and uploads them via multipart POST (axios.post(UPLOADURL, form,...) at index.js:78) along with the OS username and platform. On Linux it additionally fetches an attacker-supplied SSH public key from /api/ssh-key and appends it to ~/.ssh/authorizedkeys (fs.appendFileSync(authKeys, sshKey + "\n", { mode: 0o600 })), then runs sudo ufw enable and sudo ufw allow 22/tcp to ensure the operator can reach the SSH service — granting persistent remote shell access to the installer's machine. Server-controlled scan/block patterns let the operator retarget the harvester without republishing. package.json has empty author/description and lists Node built-in names (child_process, os) as fake dependencies — disguise consistent with a deliberately malicious package.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "91f23a964fca4e1984aecce2dbc51fc6bfa1ffe77725ee5f0e8d2f7a5c5514d8",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T05:10:55Z",
            "versions": [
                "1.0.7"
            ],
            "id": "IN-MAL-2026-007056",
            "import_time": "2026-06-19T05:16:50.43022462Z"
        }
    ]
}

References

https://www.npmjs.com/package/node-slot/v/1.0.7

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / node-slot

Package

Name: node-slot; View open source insights on deps.dev
Purl: pkg:npm/node-slot

Affected ranges

Affected versions

1.*

1.0.7

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-slot/MAL-2026-6191.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "653e32a8394f5149f3e86b7b8fdaeb8f1103ac9f3211b0410b08476420a5de37",
            "tlsh": "372244a955773626ca7263f85a07001eff6bd53339118285f2ec42843f7a91861e6eec",
            "path": "index.js"
        },
        {
            "sha256": "ffdad8826ac95345dab74f070ab9166631af306d57305d1d66e7e3a07ba1385b",
            "tlsh": "3af09227ce589d6318f539a9297c0727f291932f0104880f35bd661c4fb65270085f1d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-FoI8QhI2uUR24QDXNEJl0adLuseb3qQ7itbnnbweOVX4ABJEvibABoFUESK2/rgLlGBQV9e5OgDkKtJR7N75aQ==",
                "sha1": "5580f520d5917acc8e2efaf8b516a74079983910"
            },
            "filename": "node-slot-1.0.7.tgz"
        }
    ]
}