MAL-2026-6192

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nodepathbalance54/MAL-2026-6192.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6192

Published

2026-06-19T05:01:34Z

Modified

2026-06-19T05:31:47.561197807Z

Summary

Malicious code in nodepathbalance54 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d5ade836e7f92049242a01dbc0782900900c4e28eb7e08f9d9ebc611aab80762)

nodepathbalance54 exports a single function (nodeaxionweb) whose implementation is hidden inside a hand-rolled stack-based JavaScript VM in index.js (functions iL/iw with ~200 opcodes, base64-encoded bytecode chunks in array S). Decoding the VM's constant pool reveals a hardcoded Telegram bot token (8604230339:AAE0jcxBc1QC_YV1Um6TT4bvC0mgZGlhoy4), chat id (-1002861294159), the base URL https://api.telegram.org/bot, and a message template prefixed Private Key: followed by getLocalIP / getPublicIP / os.hostname / platform / arch / ISO timestamp fields, posted via axios.post to /sendMessage. Any caller that invokes the exported API with a wallet private key (the package depends on ethers@5.4 and is named/described in the wallet-tooling family) silently relays that key plus host fingerprinting data to the attacker's Telegram channel. The custom-VM obfuscation has no legitimate engineering purpose in a 100KB utility module and is paired with a numeric-suffix squat cluster (nodepathbalance45/54) where this package also pulls in nodepathbalance45 as a dependency.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "d5ade836e7f92049242a01dbc0782900900c4e28eb7e08f9d9ebc611aab80762",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T05:01:34Z",
            "versions": [
                "1.1.0"
            ],
            "id": "IN-MAL-2026-007052",
            "import_time": "2026-06-19T05:16:49.478312597Z"
        }
    ]
}

References

https://www.npmjs.com/package/nodepathbalance54/v/1.1.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / nodepathbalance54

Package

Name: nodepathbalance54; View open source insights on deps.dev
Purl: pkg:npm/nodepathbalance54

Affected ranges

Affected versions

1.*

1.1.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nodepathbalance54/MAL-2026-6192.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "0a26d28823d02c6e6e55beb95c206268c425b49b9801e4a9ff175bd594429915",
            "tlsh": "f8b3d991b7d6a02d80bd63705a1b7181e876edb1080918b8cfa1fa548d66b87c3fff54",
            "path": "index.js"
        },
        {
            "sha256": "7176206758dcf67f2b5d2d9b9cd1f7bfbd4ae2f1ea2c14ccc2619db9faeffcd1",
            "tlsh": "a1e0df228f004a2302b05ba2183c8353b3d5af5f5428ac4b71bf1a2c49a32b318e5b48",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-Q+9SNGAkOkws0kE2dYIWdRssCGl0eQHtZzIz8CcGgyxYNn4bf5kBU8YffAevYdfGOgyl11fPVRYH9l3+SrguRA==",
                "sha1": "91e1c12fdd70e4d77f5fe442f5125ca5b71c400e"
            },
            "filename": "nodepathbalance54-1.1.0.tgz"
        }
    ]
}