MAL-2026-6227

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/new-ts-helper/MAL-2026-6227.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6227

Published

2026-06-19T14:13:34Z

Modified

2026-06-19T15:47:24.084175428Z

Summary

Malicious code in new-ts-helper (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c3721ae4cecdfa22793382d07d28a25ba5fabd54ac405cb94e642a1f96faee80)

index.js imports child_process and at lines 101 and 117 invokes execSync to run bash and zsh commands. Lines 9, 194, and 195 use Buffer.from(..., 'base64').toString() to decode base64-encoded payloads, a common pattern for hiding the actual shell commands from casual review. The combination of base64-decoded strings being fed into execSync calls inside the main module is the canonical shape of an obfuscated runtime payload executor: any caller that requires this package, or any lifecycle/CLI path that loads index.js, will execute attacker-controlled shell commands decoded from the embedded base64 blobs. There is no documented benign reason for a 'helper' package to base64-decode strings and shell them out. Package name (new-ts-helper) also has the shape of a low-effort lure rather than an established TypeScript utility.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "c3721ae4cecdfa22793382d07d28a25ba5fabd54ac405cb94e642a1f96faee80",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T14:13:34Z",
            "versions": [
                "9.0.2"
            ],
            "id": "IN-MAL-2026-007066",
            "import_time": "2026-06-19T15:41:54.906077782Z"
        }
    ]
}

References

https://www.npmjs.com/package/new-ts-helper/v/9.0.2

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / new-ts-helper

Package

Name: new-ts-helper; View open source insights on deps.dev
Purl: pkg:npm/new-ts-helper

Affected ranges

Affected versions

9.*

9.0.2

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/new-ts-helper/MAL-2026-6227.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "417f814a3838ff76700a5fec27c2a50ff4e8785e96556669448a5d252ac5fed7",
            "tlsh": "4fe166a901162126d6f1e7f8eb560016f7ded2137202c742b6ac4ac92f77528e1d2fec",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-EJwxgYrHI5H3lcKf6nOVjXmMMZSIhR2WRAaSuxAOyywlT/r69hddIADMAHLCfZndyrpZOwLH0SRtY3qAacTkfg==",
                "sha1": "30c081846ed66f255bc07dde820355225c3d0ca5"
            },
            "filename": "new-ts-helper-9.0.2.tgz"
        }
    ]
}