MAL-2026-6363
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npmkekw/MAL-2026-6363.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6363
- Published
- 2026-06-24T02:37:21Z
- Modified
- 2026-06-24T03:31:23.635754335Z
- Summary
- Malicious code in npmkekw (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (74384b76540c8d36fef8a30dc2acd3224defeaa8a58d0155101f2f670aa8b153)
The package's main module (index.js) exports an
init()function that spawns/bin/bashviachild_process.execand opens a TCP socket to the hardcoded remote address 49.13.148.41:443, piping the shell's stdio through the socket — a textbook reverse-shell backdoor giving the operator at that IP interactive command execution on any host that callsinit(). Package metadata is consistent with a throwaway attack vehicle: emptydescription, emptyauthor, non-descriptive namenpmkekw, and no other functional code. The payload as shipped contains a typo (references an undefinedshvariable and pipes fromcp.stdout) so it crashes on first use, but the intent and structure are unambiguous and a one-character fix would make it functional. - Database specific
{ "malicious-packages-origins": [ { "sha256": "001543f96749cd3e6896e93ae9d601dcd9c9c7646de0a624e9c9d22f20032df3", "id": "IN-MAL-2026-007395", "source": "amazon-inspector", "modified_time": "2026-06-24T02:37:28Z", "versions": [ "2.0.0" ], "import_time": "2026-06-24T03:14:01.114430528Z" }, { "sha256": "bea6f325821de15ed962d2b22f820e53220dcb59004dd436a95cc5f4d0cc26ad", "import_time": "2026-06-24T03:14:00.968947176Z", "source": "amazon-inspector", "modified_time": "2026-06-24T02:37:25Z", "versions": [ "2.0.3" ], "id": "IN-MAL-2026-007393" }, { "sha256": "1810d4765039fea883114aab44274ee9a85c80801dd8ed7043de829764a8b14f", "id": "IN-MAL-2026-007394", "source": "amazon-inspector", "modified_time": "2026-06-24T02:37:25Z", "versions": [ "2.0.5" ], "import_time": "2026-06-24T03:14:01.030598994Z" }, { "sha256": "74384b76540c8d36fef8a30dc2acd3224defeaa8a58d0155101f2f670aa8b153", "id": "IN-MAL-2026-007392", "source": "amazon-inspector", "modified_time": "2026-06-24T02:37:21Z", "versions": [ "2.0.1" ], "import_time": "2026-06-24T03:14:00.889880242Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / npmkekw
Package
- Name
- npmkekw
- View open source insights on deps.dev
- Purl
- pkg:npm/npmkekw
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npmkekw/MAL-2026-6363.json"
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"sha256": "25137bb3be77d94697f75136f8188a5278d7c446242817bebd827f571190188f",
"tlsh": "cbd02b6f36a75214227b20b01e0fec218d1584061700c65c538a4b68af808acad92b94",
"path": "index.js"
}
],
"package_integrity": [
{
"filename": "npmkekw-2.0.0.tgz",
"hashes": {
"sha1": "4a53b2bc4e2660a1d3a4e09274d3c2e444ae08a2",
"sha512_sri": "sha512-AcHNkW3dbraBJqKhkXNVvLiq8aiXjBqoeEPyFPqoUXpkSLSEoS8OqDRa2T7cdvZlJRFd1X/PwMyto9r6sAsOYw=="
}
}
]
}