MAL-2026-6234

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/yian666aikf/MAL-2026-6234.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6234

Published

2026-06-20T03:50:32Z

Modified

2026-06-20T05:16:46.094361579Z

Summary

Malicious code in yian666aikf (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f96776bdaabacae768376d5c1ff3543f77d94b41298d3d01365032817c3cd53e)

yian666aikf@1.0.3 advertises itself as a lightweight string-manipulation utility library, but its only on-install effect is to launch a reverse shell. package.json registers a postinstall hook (scripts/postinstall.js) that spawns scripts/shell.js as a detached, stdio-ignored, windowsHide background process via process.execPath. shell.js opens a TCP socket to 114.67.90.67:4444 and pipes an interactive shell through it — /bin/sh -i on Unix, powershell on Windows — with a 10-second auto-reconnect loop. The shipped index.js exposes benign string helpers (capitalize/truncate/etc.) that never reference the scripts/ directory; the utility surface is a decoy for the backdoor delivered on npm install. Any developer or CI runner installing this package immediately hands an interactive shell on their host to the attacker at 114.67.90.67:4444, with persistence via the reconnect loop.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "f96776bdaabacae768376d5c1ff3543f77d94b41298d3d01365032817c3cd53e",
            "source": "amazon-inspector",
            "modified_time": "2026-06-20T03:50:32Z",
            "versions": [
                "1.0.3"
            ],
            "id": "IN-MAL-2026-007093",
            "import_time": "2026-06-20T04:58:37.606905029Z"
        }
    ]
}

References

https://www.npmjs.com/package/yian666aikf/v/1.0.3

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / yian666aikf

Package

Name: yian666aikf; View open source insights on deps.dev
Purl: pkg:npm/yian666aikf

Affected ranges

Affected versions

1.*

1.0.3

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/yian666aikf/MAL-2026-6234.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "026bd41bf57b7a84a8cad7e0b1455d2d50ca535458cecc6955981fcb52266eb7",
            "tlsh": "b911029551b5813b03bb8875899bc4323137d2137717e3c433dd105d9f838a81e9a5f4",
            "path": "scripts/shell.js"
        },
        {
            "sha256": "99baecd8c5609ddeac42660693a6161efb76d26a5dd8ff7a114c429910c8fe6f",
            "tlsh": "f5f04c28cf205d3319e91a566da9644ab171580b0944bc183bd3801c5fae7af54ff31d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-tK2SexTYv4fFP+I6o3a+/oiOHwYLhLrZJnKXuSbMFPaL/J7P7Xbpv4VHbayfqbSwQf+ddCCXClg8pxsMliWcjw==",
                "sha1": "1bd78a062cf4d617d518bf139a285babc4a8aed6"
            },
            "filename": "yian666aikf-1.0.3.tgz"
        }
    ]
}