MAL-2026-6210
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@apexcraft/nano-key/MAL-2026-6210.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6210
- Published
- 2026-06-19T15:12:42Z
- Modified
- 2026-06-19T15:47:24.090947114Z
- Summary
- Malicious code in @apexcraft/nano-key (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (c46938b3634fb4de89ddf44b765e1c766c871a40fb31c54609c1b3526074e65c)
@apexcraft/nano-key advertises itself as a 12-byte sortable ID generator (README and repository metadata are copied from yiwen-ai/xid-ts, an unrelated upstream project), but ships a 250KB obfuscator.io-style payload at dist/cjs/seed.cjs. package.json declares
"postinstall": "node./dist/cjs/seed.cjs", so the payload runs automatically onnpm install. The samerunPrepare()entry point is also invoked at module load: index.js line 25 calls_seed.runPrepare()insidenewState(), which line 35 invokes asdefaultState = newState()at top level — so any consumer thatrequires the package re-triggers the dropper. seed.cjs uses an RC4+base64 rotating string array decoder (_0x554f/_0x1420), control-flow flattening, a self-defending IIFE, and a debugger-protection loop to hide an AES-256-GCM-decrypted URL list. At runtime ithttps.requests those URLs, stages the response under~/.cache(or%LOCALAPPDATA%/~/Library/Caches), sha256-stamps the file, and executes it withchild_process.spawn(process.execPath, [file]), with an alternatebunruntime branch. There is no signature or hash pinning of the fetched bytes, the destination is decrypted at runtime (mutable C2), and the package's stated purpose (ID generation) provides no legitimate reason to fetch and execute remote code. Installing or requiring this package hands arbitrary remote code execution to whoever controls the encrypted endpoint. - Database specific
{ "malicious-packages-origins": [ { "sha256": "a07948bbe7c664c2248fc90112dccc0258f9857706b50eed5f68e7ddd7dc6f62", "source": "amazon-inspector", "modified_time": "2026-06-19T15:12:42Z", "versions": [ "1.3.8" ], "id": "IN-MAL-2026-007076", "import_time": "2026-06-19T15:41:55.51799058Z" }, { "sha256": "c46938b3634fb4de89ddf44b765e1c766c871a40fb31c54609c1b3526074e65c", "source": "amazon-inspector", "modified_time": "2026-06-19T15:12:44Z", "versions": [ "1.3.4" ], "id": "IN-MAL-2026-007077", "import_time": "2026-06-19T15:41:55.586775548Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @apexcraft/nano-key
Package
- Name
- @apexcraft/nano-key
- View open source insights on deps.dev
- Purl
- pkg:npm/%40apexcraft%2Fnano-key
Database specific
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@apexcraft/nano-key/MAL-2026-6210.json"
indicators
{
"evidence_files": [
{
"sha256": "618dfffb6829356c131fded9f4c6528b73b4f9d7ff1fc1d3b457599a12584e29",
"tlsh": "d1449730b3c07c9425479f7b332ef5e5f92e5fa934a8088bd065bc64a6ea915dad0730",
"path": "dist/cjs/seed.cjs"
},
{
"sha256": "4f42c7bd6028949d5899aa16a5a028ae8ab93a03b9ee509445fcadb521a077f1",
"tlsh": "e0216b69c4b45d631be465e0ac6a1806a3710d078e64be0537df407caf8e1ab52bf3ac",
"path": "package.json"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-tr//m4xj70vcDmTb0nme74hwqRLk6PPewyeMHhfIGiR69ITBwXN8Fj4kZ4KPVT5OMLv/GIj607BS47YzZUdGvQ==",
"sha1": "8edf857e84e1a2e28225c7e4a3bf99bea3a189a8"
},
"filename": "nano-key-1.3.8.tgz"
}
]
}