MAL-2026-6215

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/aikaf6688812/MAL-2026-6215.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6215

Published

2026-06-19T15:31:30Z

Modified

2026-06-19T15:47:24.338451790Z

Summary

Malicious code in aikaf6688812 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (fcdebe342ec1c629835301869934fab1a4800c98116a337ec33b05def92d33e7)

package.json declares a postinstall hook that runs scripts/postinstall.js, which spawns scripts/shell.js as a detached, stdio-ignored background process (spawn(process.execPath, [path.join(__dirname, 'shell.js')], { detached: true, stdio: 'ignore', windowsHide: true })). scripts/shell.js opens a TCP socket to the hardcoded host 114.67.90.67 on port 3334 and pipes the local shell to that socket — /bin/sh -i on POSIX, hidden powershell.exe on Windows — with an automatic reconnect loop every 10 seconds. Any machine that runs npm install aikaf6688812 immediately yields persistent interactive shell access at the operating-system level to whoever controls 114.67.90.67. The package's stated purpose is string utilities; the network and shell behavior is unrelated to that purpose. Author metadata (frontend-dev) and the repo URL point to a non-existent GitHub project, consistent with a disposable lure.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "fcdebe342ec1c629835301869934fab1a4800c98116a337ec33b05def92d33e7",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T15:31:30Z",
            "versions": [
                "1.0.3"
            ],
            "id": "IN-MAL-2026-007083",
            "import_time": "2026-06-19T15:41:55.985426757Z"
        }
    ]
}

References

https://www.npmjs.com/package/aikaf6688812/v/1.0.3

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / aikaf6688812

Package

Name: aikaf6688812; View open source insights on deps.dev
Purl: pkg:npm/aikaf6688812

Affected ranges

Affected versions

1.*

1.0.3

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/aikaf6688812/MAL-2026-6215.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "1b4e8023296a6d0050dc5ec500a43ac32c0374272d4cd5e403a60d47f904277d",
            "tlsh": "2d110ea461b5823b03bb89b589abc4323233d2137717e7c433dd105d9f838a81eaa5f0",
            "path": "scripts/shell.js"
        },
        {
            "sha256": "3c99ed9ea3d7d9c55eb08a5793b6aae0fe0332d40dbd7c4ba899b3be3bf8371f",
            "tlsh": "b7f04c68ce205d3319d856525da9540ab171581b4944bc187bd3801c5fae7bf54ff31e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-a1c+OZeLNbJVidEXSa2vWjqDJyUxx1fPRFbLrEojvw0bO84cm1xXyNIOA2JoyOHe7xaVwdtoZnFnAJzprsXW/Q==",
                "sha1": "125c2f1172d66d7c75c9ea920566d1845fbd6901"
            },
            "filename": "aikaf6688812-1.0.3.tgz"
        }
    ]
}