MAL-2026-6214

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@chunklab/hexparse/MAL-2026-6214.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6214

Published

2026-06-19T15:13:24Z

Modified

2026-06-19T15:47:24.264950024Z

Summary

Malicious code in @chunklab/hexparse (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (56ad779454aa221e4a3d5a13725428059b40edd7cd8a4329ef382348bc493013)

Package advertises itself as a small hex/base64/endianness codec library, but every exported encode/decode function (encodeHex, decodeHex, encodeBase64,...) invokes _runPrepare() from script/prelude.cjs (and esm/prelude.mjs), a ~277 KB obfuscator.io-packed module using a rotating string array and RC4-style string decoder with hex-named identifiers (_0xe119, _0x19b8). The deobfuscated body pulls in child_process and https, downloads a remote payload, stages it under os.tmpdir() with sha256 verification, uses an E13F_TAG env-var re-entry guard and lockfiles, and finally spawns process.execPath on the downloaded file. Any consumer that imports the package and calls its advertised API silently fetches and executes attacker-controlled code on the installer's machine. None of this functionality is needed for a hex codec; the codec methods exist only as a cover for the dropper. The package also impersonates an unrelated upstream project: package.json repository.url, bugs.url, and homepage all point to github.com/levischuck/tiny-encodings, while the package is published under the @chunklab scope by author chunklab <chunklab@pm.me> and the obfuscated prelude.cjs/prelude.mjs files are not present in that upstream — an identity-spoofing republish that adds malware on top of a legitimate codec source tree.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "56ad779454aa221e4a3d5a13725428059b40edd7cd8a4329ef382348bc493013",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T15:13:24Z",
            "versions": [
                "1.1.7"
            ],
            "id": "IN-MAL-2026-007080",
            "import_time": "2026-06-19T15:41:55.759800891Z"
        }
    ]
}

References

https://www.npmjs.com/package/@chunklab/hexparse/v/1.1.7

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @chunklab/hexparse

Package

Name: @chunklab/hexparse; View open source insights on deps.dev
Purl: pkg:npm/%40chunklab%2Fhexparse

Affected ranges

Affected versions

1.*

1.1.7

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@chunklab/hexparse/MAL-2026-6214.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "24c8f9b8ac17c2f88cc01d44543963206472112510962b68cf5f74d598b3b065",
            "tlsh": "9e449730b3c07c9425479f7b332ef5e5f92e5fa934a8088bd065bc64a6ea915dad0730",
            "path": "script/prelude.cjs"
        },
        {
            "sha256": "249b09711f0bb1210dc64ad989ab2a9408ee4789de1a7c402df7953a5e25f937",
            "tlsh": "f0214974c5609d530ac8a8a4d869aa06b675180b8c24bc4973cf051caf8d5ef25ff3bd",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-6/hoomtHN6FDOJ4pvVZr7DEWjgPMGhWrAcrFVT+kHu6uonXOjbQlTpd0a29tPn3gxt00tqzTqwKYDBtr+1sY7w==",
                "sha1": "11ed255e11738fb926d81f7ea5918d2e9612f44a"
            },
            "filename": "hexparse-1.1.7.tgz"
        }
    ]
}