MAL-2026-6354

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npm-bug-bounty-test1-rhyselsmore/MAL-2026-6354.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6354
Published
2026-06-23T21:57:12Z
Modified
2026-06-23T22:46:23.585379163Z
Summary
Malicious code in npm-bug-bounty-test1-rhyselsmore (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (354a2aa5da5356bab1c97537f865ebdf6af3fcc24f74a6f7c6f78181265c8af2)

package.json declares a dependency foo whose source URL is https://3223567a82f3.ngrok.app/foo — an ephemeral, anonymous ngrok tunnel with no version pin and no integrity hash. On npm install, npm fetches whatever tarball the tunnel currently serves and runs its lifecycle scripts (preinstall/install/postinstall) on the installer's machine. The tunnel operator can swap the served bytes at any time, so the package effectively delegates arbitrary code execution at install time to whoever controls the ngrok endpoint. The package itself has no functional surface: the declared main: index.js is absent from the tarball (which contains only a foo text file and package.json), so the only observable effect of installing it is the dependency-resolution fetch from the attacker-controlled tunnel. Package naming suggests this may be a bug-bounty proof of concept, but the install-time mechanism is identical to a real dropper.

Database specific
{
    "malicious-packages-origins": [
        {
            "import_time": "2026-06-23T22:31:28.650301301Z",
            "sha256": "354a2aa5da5356bab1c97537f865ebdf6af3fcc24f74a6f7c6f78181265c8af2",
            "modified_time": "2026-06-23T21:57:12Z",
            "versions": [
                "1.0.5"
            ],
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007388"
        }
    ]
}
References
Credits

Affected packages

npm / npm-bug-bounty-test1-rhyselsmore

Package

Name
npm-bug-bounty-test1-rhyselsmore
View open source insights on deps.dev
Purl
pkg:npm/npm-bug-bounty-test1-rhyselsmore

Affected ranges

Affected versions

1.*
1.0.5

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "evidence_files": [
        {
            "tlsh": "3ee026605851882306d5667a1c2e6453b6618e5f04483c1a73cb542c92ce7b72dfd35c",
            "sha256": "acb0aa7773ab1a014ab6cbadfecdcf9e6484959a5fde9a7c6579e92b6bc66065",
            "path": "package.json"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npm-bug-bounty-test1-rhyselsmore/MAL-2026-6354.json"