MAL-2026-6216

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/aikaf668897/MAL-2026-6216.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6216

Published

2026-06-19T15:31:36Z

Modified

2026-06-19T15:47:24.437799003Z

Summary

Malicious code in aikaf668897 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (450730a92143c06530923dacda588a17252ebc7edc9ddf71ff520446de5a3293)

On npm install, the package's postinstall hook (node scripts/postinstall.js) spawns a detached background Node process running scripts/shell.js with detached: true, stdio: 'ignore', windowsHide: true and .unref(), so the child survives npm install completion and runs invisibly. scripts/shell.js opens a TCP socket to the hardcoded bare IP 114.67.90.67 on port 3333 and pipes a local shell (/bin/sh on Unix, powershell.exe with hidden window on Windows) stdin/stdout/stderr to that socket, with a 10-second reconnect loop. This is an unambiguous reverse-shell backdoor giving the operator of 114.67.90.67 interactive command execution on the installer's machine. The package's advertised purpose (a string-manipulation utility, with index.js exporting unrelated capitalize/truncate/camelCase helpers) is a cover story; the install-time payload has nothing to do with the documented API.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "450730a92143c06530923dacda588a17252ebc7edc9ddf71ff520446de5a3293",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T15:31:36Z",
            "id": "IN-MAL-2026-007084",
            "versions": [
                "1.0.3"
            ],
            "import_time": "2026-06-19T15:41:56.029498538Z"
        }
    ]
}

References

https://www.npmjs.com/package/aikaf668897/v/1.0.3

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / aikaf668897

Package

Name: aikaf668897; View open source insights on deps.dev
Purl: pkg:npm/aikaf668897

Affected ranges

Affected versions

1.*

1.0.3

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/aikaf668897/MAL-2026-6216.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "4dca6ea555f973adbe2bbe48498c7e4e320e4e13cc2d1c79c1b701ea40a9e998",
            "tlsh": "8d11029451b5413b03bb8875899bc4323233d2137717e7c433dd105d9f838a81e9a5f0",
            "path": "scripts/shell.js"
        },
        {
            "sha256": "20d2859a52b6f2bf12083b85a9332ef9c4be9dbdceab735e0789c7f15bb5a5c7",
            "tlsh": "b8e0eb2ab3a2023cb1bac7c0bb5a33372a0b9700a3901020c9ae1067078739e81330e7",
            "path": "scripts/postinstall.js"
        },
        {
            "sha256": "cc916e827ab47e9a8524a5861646959fe36da7ff879cc36a8527e8de274d608e",
            "tlsh": "f9f04c28ce205d3319d92a566da9540ab171580b0944bc187bd3801c5fae7bf54ff31d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-30t7vfWfeBc+LGuKmgiwwgMQ4f8gOczqMN0VcoOpdc6BKFhnuGvKGOOf05yjmH8mrAjd8PG61h9yMBJhJLzLng==",
                "sha1": "449fcb5e099f7cd01cb5cd5babed9fd7a49f10ad"
            },
            "filename": "aikaf668897-1.0.3.tgz"
        }
    ]
}