MAL-2026-6209

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@antoncarlos1/nodelamp/MAL-2026-6209.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6209

Published

2026-06-19T15:02:53Z

Modified

2026-06-19T15:47:24.054246718Z

Summary

Malicious code in @antoncarlos1/nodelamp (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d930df8b6392b3bbfe3b591d90226374d31fb246e06018521f3f673a815b618a)

@antoncarlos1/nodelamp@1.0.1 ships a single obfuscated index.js that runs a dropper on require(). The top-level IIFE constructs a hardcoded IPv4 URL by concatenating four numeric literals with '.', issues an HTTPS GET to that bare-IP host, writes the response body to a file under os.tmpdir() with flag 'w+', and immediately spawns it with cwd=os.tmpdir() and windowsHide:true. The module is encoded with obfuscator.io (224-entry RC4 string array, two decoder functions, shuffled control flow) — the only purpose of which is to hide the destination address and the exec edge from reviewers. The package metadata advertises only 'manage the node' with no functionality justifying any network fetch or binary execution, and the package scope (@antoncarlos1) does not match the linked repository owner (guilderguzman). The fetched bytes are unpinned, unverified, and attacker-controlled; any consumer that requires this package (directly or transitively) executes them with the installer's privileges.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "d930df8b6392b3bbfe3b591d90226374d31fb246e06018521f3f673a815b618a",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T15:02:53Z",
            "versions": [
                "1.0.1"
            ],
            "id": "IN-MAL-2026-007074",
            "import_time": "2026-06-19T15:41:55.390808985Z"
        }
    ]
}

References

https://www.npmjs.com/package/@antoncarlos1/nodelamp/v/1.0.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @antoncarlos1/nodelamp

Package

Name: @antoncarlos1/nodelamp; View open source insights on deps.dev
Purl: pkg:npm/%40antoncarlos1%2Fnodelamp

Affected ranges

Affected versions

1.*

1.0.1

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@antoncarlos1/nodelamp/MAL-2026-6209.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "98f5263592b83ce13206f734071d6912bb9a316efa1966b63dd4e3473e324e15",
            "tlsh": "9082b5cc37d1b0602633e17f6e1ba096f1aa5c99a29dc844f386f498fc68314d1f9b58",
            "path": "index.js"
        },
        {
            "sha256": "087e8c15e01c0a046215b7a15bfd7319ed223856aee869e618a2eadaf0e88b2a",
            "tlsh": "aaf0463995b208af0ed527a18829284a72e3891b9c483c4923e7055c8acf4f322fd22d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-JWtmSTGq54BiCmcdXGU6w2NxjgjJ+Y5rc6AUJ2YfdVmDCwAXnJha2yCi/l0sNn1NhibrQ2n0mwBsSRyS/63c0A==",
                "sha1": "74beab45e57a3eeada7776d2f9d0db15b2a213fb"
            },
            "filename": "nodelamp-1.0.1.tgz"
        }
    ]
}