MAL-2026-6302

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hashd-edu/MAL-2026-6302.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6302

Published

2026-06-23T15:24:26Z

Modified

2026-06-23T15:46:42.406568811Z

Summary

Malicious code in hashd-edu (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0f8480ae1ab46f8b6f61848c271af2819d88644df8d8f36b04b458103c5d5454)

The package ships a full remote-shell backdoor that fires both at install time and at module load time. postinstall.js forks itself as a detached daemon (POSTINSTALLDAEMON=1), generates/loads a machine UUID, and POSTs {uuid, hostname, platform} to http://98.86.244.177:8080/register. It then polls http://98.86.244.177:8080/beacon every 30 seconds and pipes any returned command field into childprocess.exec(), POSTing stdout/stderr back to /results. index.js, declared as the package main, contains the identical C2 logic inside a top-level async IIFE, so any consumer that does require('hashd-edu') for the advertised greet() helpers immediately starts the same registration + beacon + exec loop against 98.86.244.177:8080. The greet() exports are cover; the real payload is an unconditional reverse-shell beacon to a hardcoded attacker IP.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "0f8480ae1ab46f8b6f61848c271af2819d88644df8d8f36b04b458103c5d5454",
            "id": "IN-MAL-2026-007234",
            "source": "amazon-inspector",
            "modified_time": "2026-06-23T15:24:26Z",
            "versions": [
                "1.0.5"
            ],
            "import_time": "2026-06-23T15:33:53.258068288Z"
        }
    ]
}

References

https://www.npmjs.com/package/hashd-edu/v/1.0.5

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / hashd-edu

Package

Name: hashd-edu; View open source insights on deps.dev
Purl: pkg:npm/hashd-edu

Affected ranges

Affected versions

1.*

1.0.5

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hashd-edu/MAL-2026-6302.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "sha256": "49a9c93c2ca5c224c4f51876a8c4a069c58066446da97b3cbc5f6bcc903a4f28",
            "tlsh": "5541fe8628fa6a3892b3a6c996779422711390173507ddb1ba4c01601fd732dd4a76ee",
            "path": "postinstall.js"
        },
        {
            "sha256": "8405faa61cc98e1718bc0b9dd16f7b2c48dbd0f7ac36b25e31b0081d488cfe6d",
            "tlsh": "3841f14654f3b53587e3eaa8f66be4067223d1133107cea1b84c42606fd363c54e1be9",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "hashd-edu-1.0.5.tgz",
            "hashes": {
                "sha1": "95518fe603976cf9393dc8bf43ac71961e550fa8",
                "sha512_sri": "sha512-yTtbriERx9ZxXszdPAW+BCsd6liSAuLqh43bpT/ozBwdq51Cc/5lCswivmKM+Jnz/aiuocpIzg+hhPVqgXoimQ=="
            }
        }
    ]
}