MAL-2026-6317

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-bn-lint/MAL-2026-6317.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6317

Published

2026-06-23T16:11:21Z

Modified

2026-06-23T17:01:29.514096560Z

Summary

Malicious code in ts-bn-lint (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e591f0b407bc22e3abe20da9207df2d2922f75d98ab97aaa62557ca88b8fc349)

ts-bn-lint@3.1.19 is a credential harvester disguised as a TypeScript/lint utility. index.js defines decodeStr which base64-decodes all operationally sensitive strings, including the C2 endpoint https://data-stream.space/api/v1 (index.js:32) and the target filename patterns .env, config.toml, Config.toml, config.json, id.json, and env (index.js:13-18). The exported from_str function recursively walks process.cwd() collecting files matching those patterns, then gathers shell histories by invoking execSync("bash -c history") and execSync("zsh -c 'fc -l -1000'") (index.js:101, 117), tagging each upload with the local username and IP for victim correlation before POSTing to the C2 endpoint. The id.json target is the standard Solana CLI keypair file; .env and config.* typically contain API keys and database credentials. The package's own test.js calls from_str() unconditionally, so npm test triggers exfiltration; any consumer who requires the package and calls the exported function does the same. Package metadata is empty (no author, no description) and the name impersonates the TypeScript/lint tooling namespace.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "86ac26ab369f912cd3ec3498348b0182ff37868633087294b69c1cc583e184f6",
            "id": "IN-MAL-2026-007263",
            "source": "amazon-inspector",
            "modified_time": "2026-06-23T16:11:21Z",
            "versions": [
                "5.8.0"
            ],
            "import_time": "2026-06-23T16:54:12.753171106Z"
        },
        {
            "sha256": "e591f0b407bc22e3abe20da9207df2d2922f75d98ab97aaa62557ca88b8fc349",
            "id": "IN-MAL-2026-007272",
            "source": "amazon-inspector",
            "modified_time": "2026-06-23T16:11:28Z",
            "versions": [
                "3.1.19"
            ],
            "import_time": "2026-06-23T16:54:13.577464342Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / ts-bn-lint

Package

Name: ts-bn-lint; View open source insights on deps.dev
Purl: pkg:npm/ts-bn-lint

Affected ranges

Affected versions

3.*

3.1.19

5.*

5.8.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-bn-lint/MAL-2026-6317.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "sha256": "96307f0ca4a0914857019add5e6da267f10f3c278fa82e50e02787b2ca200eea",
            "tlsh": "73c2658c3ac67579593363788f465088eb38525712c8b186b4ae63b46f78cb107b5fdc",
            "path": "big.js"
        },
        {
            "sha256": "6c0e820b07fea88509abfa39be963df1f4baae6604c636101d9d71439ccda091",
            "tlsh": "66210463c9a19da70af85b94bc6c43aaf2161b2f41a05c57b07b130c5f3355b2096bbd",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "ts-bn-lint-5.8.0.tgz",
            "hashes": {
                "sha1": "d7e02f1c1ce21b3a5ce1a954c19c38de4cb445b3",
                "sha512_sri": "sha512-ZHB6JWwY4HKnFANqFqbdqDsnUuicEvoR6joQlyvAXJ95RzKpl0JgoaIBMOSeGtpuKqUua2HcQtCbzVeYc3wpeg=="
            }
        }
    ]
}