MAL-2026-6299
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/analysis-chart/MAL-2026-6299.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6299
- Published
- 2026-06-23T15:25:06Z
- Modified
- 2026-06-23T19:46:25.081027581Z
- Summary
- Malicious code in analysis-chart (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (a1ab4349bcc1e8f4434817d242b136f6e6050d4acb234aa833d81ffd74942066)
The package's postinstall hook (install-hook.js, invoked via package.json scripts.postinstall) fetches an opaque binary 'payload.bin' from https://github.com/Dimitrijenco/Sticky_note/releases/download/v6/payload.bin — a third-party GitHub release on an account unrelated to the package's claimed author. The downloaded bytes are XOR-decrypted with key 0x42, then loaded into the installer's process: kernel32.dll is loaded via koffi, RWX memory is allocated with VirtualAlloc, the decrypted PE is copied via RtlMoveMemory, VirtualProtect is applied, and CreateThread is started at the parsed PE entry point. This is in-memory shellcode/PE injection on Windows developer machines, executing arbitrary attacker-controlled native code on
npm install. After launching the payload, install-hook.js writes a cleanup.js that, after a 3-second delay, runscmd /c rmdir /s /qon the package folder, removes 'analysis-chart' from the host project's package.json, unlinks install-hook.js, and self-deletes — anti-forensic evidence removal so the developer cannot inspect what ran. The package's index.js exposes a plausible-looking chart statistics API (stats, outliers, trend, correlation, movingAverage, analyze) that is functionally unrelated to install-hook.js and serves as decoy cover; author metadata 'Elena Vogt elena@analysis-chart.io' and the referenced repo appear fabricated. - Database specific
{ "malicious-packages-origins": [ { "sha256": "2864a2449901972e02d0001e4dc85625e22fe7fbb7059c2b47ca68e5f9e002af", "id": "IN-MAL-2026-007239", "source": "amazon-inspector", "modified_time": "2026-06-23T15:25:10Z", "versions": [ "2.0.14" ], "import_time": "2026-06-23T15:33:53.559016698Z" }, { "sha256": "3a015269ceb39b2c14d5a2dcdd7d00221643abe796fe89ca19af031f2cce8589", "id": "IN-MAL-2026-007246", "source": "amazon-inspector", "modified_time": "2026-06-23T15:25:20Z", "versions": [ "2.0.16" ], "import_time": "2026-06-23T15:33:54.079690781Z" }, { "sha256": "90b47ebcff30f2bc7800369c73519aef78a993951abb408d0417ac1a2d59cca4", "import_time": "2026-06-23T15:33:53.703122707Z", "source": "amazon-inspector", "modified_time": "2026-06-23T15:25:13Z", "versions": [ "2.0.11" ], "id": "IN-MAL-2026-007242" }, { "sha256": "a1ab4349bcc1e8f4434817d242b136f6e6050d4acb234aa833d81ffd74942066", "import_time": "2026-06-23T15:33:53.630750151Z", "source": "amazon-inspector", "modified_time": "2026-06-23T15:25:11Z", "versions": [ "2.0.13" ], "id": "IN-MAL-2026-007240" }, { "sha256": "abe7471c7d6dedda417f026350625e6c59fc1f9142e8581d2ddbf9271aa983f3", "id": "IN-MAL-2026-007238", "source": "amazon-inspector", "modified_time": "2026-06-23T15:25:09Z", "versions": [ "2.0.17" ], "import_time": "2026-06-23T15:33:53.476573252Z" }, { "sha256": "c69d8529346ea8fdadddfe1bf7929b90d9e9fa2a05c341d009bc299d22359f28", "import_time": "2026-06-23T15:33:53.447036448Z", "source": "amazon-inspector", "modified_time": "2026-06-23T15:25:08Z", "versions": [ "2.0.18" ], "id": "IN-MAL-2026-007237" }, { "sha256": "cead6a4f96bc1f11c12d7ae744f05efa942b7e01510f1140d03091d1fd9ac656", "import_time": "2026-06-23T15:33:54.038419402Z", "source": "amazon-inspector", "modified_time": "2026-06-23T15:25:15Z", "versions": [ "2.0.8" ], "id": "IN-MAL-2026-007245" }, { "sha256": "69e73f44c410c45e3622ee2856bb39f8b215a62ed14e3f78e4bfd59d1c7f2636", "import_time": "2026-06-23T15:33:53.75460268Z", "source": "amazon-inspector", "modified_time": "2026-06-23T15:25:14Z", "versions": [ "2.0.10" ], "id": "IN-MAL-2026-007243" }, { "sha256": "80b28a3207077cdcf31f46855f65b9a34b5e184621a48105a68d89626e2a2bfb", "import_time": "2026-06-23T15:33:53.3601459Z", "source": "amazon-inspector", "modified_time": "2026-06-23T15:25:06Z", "versions": [ "2.0.19" ], "id": "IN-MAL-2026-007235" }, { "sha256": "a1df4a7199135c43ea62dee912d7817478433ca12b096c6e4338e5a1c7edf5fc", "import_time": "2026-06-23T15:33:53.66979825Z", "source": "amazon-inspector", "modified_time": "2026-06-23T15:25:12Z", "versions": [ "2.0.12" ], "id": "IN-MAL-2026-007241" }, { "sha256": "de20339f52b63e70ca5a9ca47d746377b1e4c3d32f1299979da6a35e6d23e4b9", "import_time": "2026-06-23T15:33:53.856098514Z", "source": "amazon-inspector", "modified_time": "2026-06-23T15:25:14Z", "versions": [ "2.0.9" ], "id": "IN-MAL-2026-007244" }, { "sha256": "ffa5d2e2f559fe28da7f21aeaa3705d96dac8a7f196f38adfa2b994ad3280030", "id": "IN-MAL-2026-007236", "source": "amazon-inspector", "modified_time": "2026-06-23T15:25:07Z", "versions": [ "2.0.15" ], "import_time": "2026-06-23T15:33:53.395589309Z" }, { "sha256": "509b1ccb496a19e767ed8440a47063209afc32476929d37e4381db6f4e4ed98d", "import_time": "2026-06-23T19:40:42.931714768Z", "source": "amazon-inspector", "modified_time": "2026-06-23T19:37:52Z", "versions": [ "2.0.22" ], "id": "IN-MAL-2026-007349" }, { "sha256": "6e159b8395f43bfb9b920b41eb74fe91195f38eecd111c86770af10452eb4cfc", "import_time": "2026-06-23T19:40:42.289053813Z", "source": "amazon-inspector", "modified_time": "2026-06-23T19:37:47Z", "versions": [ "2.0.25" ], "id": "IN-MAL-2026-007343" }, { "sha256": "2712de0c6aff4ac7bfb9768bef35aba34a89bfd3c2d02cf553534da36c3c188b", "import_time": "2026-06-23T19:40:42.496384119Z", "source": "amazon-inspector", "modified_time": "2026-06-23T19:37:48Z", "versions": [ "2.0.24" ], "id": "IN-MAL-2026-007345" }, { "sha256": "5b82aa5cd48a20ff8f3ff41cbc9bf0d4e28e4f66eab928340851fa56027aae32", "import_time": "2026-06-23T19:40:42.726236402Z", "source": "amazon-inspector", "modified_time": "2026-06-23T19:37:50Z", "versions": [ "2.0.23" ], "id": "IN-MAL-2026-007347" }, { "sha256": "94911e79e5edbf1c5261beb41cf73f21abd36c826a17d6f36e068cfd339f620d", "import_time": "2026-06-23T19:40:42.089566081Z", "source": "amazon-inspector", "modified_time": "2026-06-23T19:37:46Z", "versions": [ "2.0.28" ], "id": "IN-MAL-2026-007342" }, { "sha256": "af12c3ec91e4c40913086c5ffa64273b05123b20f45a772ce137d45dd2ecad43", "import_time": "2026-06-23T19:40:42.383561523Z", "source": "amazon-inspector", "modified_time": "2026-06-23T19:37:47Z", "versions": [ "2.0.26" ], "id": "IN-MAL-2026-007344" }, { "sha256": "e2b0499237239c80cb1a3b4e34e11e17b4d8459f8294d55c068657f3082244d8", "import_time": "2026-06-23T19:40:42.606943855Z", "source": "amazon-inspector", "modified_time": "2026-06-23T19:37:49Z", "versions": [ "2.0.27" ], "id": "IN-MAL-2026-007346" }, { "sha256": "edc5cdd3aa1b9005c0ab92628b519eac1d39354504816949d8a7984758fb37b0", "import_time": "2026-06-23T19:40:43.035059761Z", "source": "amazon-inspector", "modified_time": "2026-06-23T19:37:53Z", "versions": [ "2.0.21" ], "id": "IN-MAL-2026-007350" }, { "sha256": "ee6e0c25c079ec0d01359f8f6104bf3ddb59921a39dae21fddd259d9f752e36f", "import_time": "2026-06-23T19:40:42.833907801Z", "source": "amazon-inspector", "modified_time": "2026-06-23T19:37:51Z", "versions": [ "2.0.20" ], "id": "IN-MAL-2026-007348" } ] }- References
-
- https://www.npmjs.com/package/analysis-chart/v/2.0.14
- https://www.npmjs.com/package/analysis-chart/v/2.0.16
- https://www.npmjs.com/package/analysis-chart/v/2.0.11
- https://www.npmjs.com/package/analysis-chart/v/2.0.13
- https://www.npmjs.com/package/analysis-chart/v/2.0.17
- https://www.npmjs.com/package/analysis-chart/v/2.0.18
- https://www.npmjs.com/package/analysis-chart/v/2.0.8
- https://www.npmjs.com/package/analysis-chart/v/2.0.10
- https://www.npmjs.com/package/analysis-chart/v/2.0.19
- https://www.npmjs.com/package/analysis-chart/v/2.0.12
- https://www.npmjs.com/package/analysis-chart/v/2.0.9
- https://www.npmjs.com/package/analysis-chart/v/2.0.15
- https://www.npmjs.com/package/analysis-chart/v/2.0.22
- https://www.npmjs.com/package/analysis-chart/v/2.0.25
- https://www.npmjs.com/package/analysis-chart/v/2.0.24
- https://www.npmjs.com/package/analysis-chart/v/2.0.23
- https://www.npmjs.com/package/analysis-chart/v/2.0.28
- https://www.npmjs.com/package/analysis-chart/v/2.0.26
- https://www.npmjs.com/package/analysis-chart/v/2.0.27
- https://www.npmjs.com/package/analysis-chart/v/2.0.21
- https://www.npmjs.com/package/analysis-chart/v/2.0.20
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / analysis-chart
Package
- Name
- analysis-chart
- View open source insights on deps.dev
- Purl
- pkg:npm/analysis-chart
Affected versions
2.*
2.0.8
2.0.9
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.16
2.0.17
2.0.18
2.0.19
2.0.20
2.0.21
2.0.22
2.0.23
2.0.24
2.0.25
2.0.26
2.0.27
2.0.28
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/analysis-chart/MAL-2026-6299.json"
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"sha256": "8ca2e876331c8fe62b290eb3f937cfedc8397c38ae7efd25b6c1d66c116b8ec0",
"tlsh": "0fe1658659a162255cb163ea8fa3941ae72b601332608394befdc3442f763548353eff",
"path": "install-hook.js"
},
{
"sha256": "3b00be0de8a311058e3db90d06ca757e4b0be1f5619578c2d8cc42c2049dc79d",
"tlsh": "01014527ce41ce2b9af413a3586e4642f3111f1f10604c0b34fa143c0f371a2249af2a",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "analysis-chart-2.0.14.tgz",
"hashes": {
"sha1": "f40908f97c2fb9c6c0c15787d0add463a1a13256",
"sha512_sri": "sha512-MpbDItvPmnyAFPI4H5OEUoP3VKhzM99XrCauT4VMe1MA/OBUcj9l3qJ8XmyJYyo1yxs72tgzBECArBtg6pRwXA=="
}
}
]
}