MAL-2026-6213

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@bytemend/mfebus/MAL-2026-6213.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6213

Published

2026-06-19T15:13:09Z

Modified

2026-06-19T15:47:24.257062208Z

Summary

Malicious code in @bytemend/mfebus (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b3d53776853d18aabf967b0f1882eb45f2164feedd600eeccc927f496002f5e4)

The package advertises itself as a small in-memory pubsub library but its main entry dist/index.js eagerly require()s dist/bootstrap.js, a 277KB obfuscator.io-protected blob (string-array rotation, control-flow flattening, RC4 string decoder, self-defending wrappers) whose decoded behavior is a remote-code dropper. On require — and automatically when the module is loaded inside a forked Node child via maybeInstallAutoIpc()/addIpcTarget(process) — the bootstrap: (1) re-spawns process.execPath detached with the original argv and an env-var sentinel as an anti-analysis re-entry guard (child_process.spawn(process.execPath, process.argv.slice(1), { detached:true, windowsHide:true, stdio:'ignore' }) followed by unref()); (2) opens an HTTPS request to a destination resolved from RC4-decrypted strings, follows redirects, and writes the response under os.homedir()/.cache/<dir>/; (3) verifies a SHA-256 against a sidecar metadata file and then require()s the downloaded payload, executing attacker-controlled code in the installer's Node process. Before doing any of this, it installs no-op handlers for uncaughtException, unhandledRejection, and warning and wraps the flow in try/catch with process.exit(0) paths so failures are silently swallowed and never reach host application logs or telemetry. None of this network, child-process, or self-respawn behavior is disclosed in the README, and none of it is consistent with the package's stated pubsub purpose. Any project that imports this package — directly, transitively, or in a forked worker — fetches and executes attacker-controlled code on the installer's machine.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "b3d53776853d18aabf967b0f1882eb45f2164feedd600eeccc927f496002f5e4",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T15:13:09Z",
            "versions": [
                "1.4.3"
            ],
            "id": "IN-MAL-2026-007079",
            "import_time": "2026-06-19T15:41:55.709372876Z"
        }
    ]
}

References

https://www.npmjs.com/package/@bytemend/mfebus/v/1.4.3

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @bytemend/mfebus

Package

Name: @bytemend/mfebus; View open source insights on deps.dev
Purl: pkg:npm/%40bytemend%2Fmfebus

Affected ranges

Affected versions

1.*

1.4.3

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@bytemend/mfebus/MAL-2026-6213.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "a9a28f2e9f7e0348092682940b3bf63d47a63afc18eb8bfe628e5ddab0d73b47",
            "tlsh": "a6449730b3c07c9425479f7b332ef5e5f92e5fa934a8088bd065bc64a6ea915dad0730",
            "path": "dist/bootstrap.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-kxFo8/qHEMUTvwCNgrwOB6TyO1Nr3gcggKfk95jqUR5pz8ITygFiCQ3dKYVDs7jJUmgHbtvPCVwfYXvXRlJRkA==",
                "sha1": "35d1f3ede98964880c4759a2346ab1f1893c130b"
            },
            "filename": "mfebus-1.4.3.tgz"
        }
    ]
}