MAL-2026-6217

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/aikaf788812/MAL-2026-6217.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6217

Published

2026-06-19T15:31:29Z

Modified

2026-06-19T15:47:26.774697895Z

Summary

Malicious code in aikaf788812 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c91950cef6a5f877a4a9bca074501e4c910dc50008d4c8c2623ddc21f08e31f2)

Package masquerades as a string-utility library but ships a postinstall backdoor. On npm install, scripts/postinstall.js spawns scripts/shell.js as a detached background process (stdio:'ignore', windowsHide:true) that survives the install lifecycle. shell.js attempts multiple reverse-shell methods — a Node net socket piping /bin/sh or powershell, bash /dev/tcp, and a Python socket+subprocess payload — connecting to 114.67.90.67 on ports 3334, 4444, 443, 80, 8080, and 53. It additionally issues an HTTP GET to http://114.67.90.67:8333/ping carrying the installer's hostname, username, cwd, and OS platform/release as query parameters, fingerprinting the victim and confirming compromise. A setInterval keep-alive plus an infinite Python reconnect loop maintain persistent C2 access on the installer's machine.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "c91950cef6a5f877a4a9bca074501e4c910dc50008d4c8c2623ddc21f08e31f2",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T15:31:29Z",
            "id": "IN-MAL-2026-007082",
            "versions": [
                "1.0.3"
            ],
            "import_time": "2026-06-19T15:41:55.920151939Z"
        }
    ]
}

References

https://www.npmjs.com/package/aikaf788812/v/1.0.3

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / aikaf788812

Package

Name: aikaf788812; View open source insights on deps.dev
Purl: pkg:npm/aikaf788812

Affected ranges

Affected versions

1.*

1.0.3

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/aikaf788812/MAL-2026-6217.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "9a9278d74630388e996735bb2e778f572010a2952c9304495f41cbd43adbecee",
            "tlsh": "7081a5b445ba442d3377975f820b103163aba1072d1ae6a836bc53436fd2dbc5863af4",
            "path": "scripts/shell.js"
        },
        {
            "sha256": "20d2859a52b6f2bf12083b85a9332ef9c4be9dbdceab735e0789c7f15bb5a5c7",
            "tlsh": "b8e0eb2ab3a2023cb1bac7c0bb5a33372a0b9700a3901020c9ae1067078739e81330e7",
            "path": "scripts/postinstall.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-mTwJdxKILaBcVWh6rI5WbZRJnFN94dVRMg22BmKNrnS2bKQrDhjZGmtgau6+DjvXE5MBK+7NFdzVe+Jo42rbVQ==",
                "sha1": "9864c93fe6c3649d73c974b8238b9317c998f830"
            },
            "filename": "aikaf788812-1.0.3.tgz"
        }
    ]
}