MAL-2026-6457

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/subsearch/MAL-2026-6457.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6457

Published

2026-06-25T07:21:52Z

Modified

2026-06-25T08:01:27.038758397Z

Summary

Malicious code in subsearch (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (04245cd013e6aa9edb766cf14249c9dd6abd19d6beb9671c22a1a8bbbff3d511)

The package's main entry index.js is the only file of substance and is wrapped in obfuscator.io string-array + RC4 obfuscation that hides every literal (module names, URL octets, exec arguments). On require(), the deobfuscated code assembles a bare-IP HTTP URL by concatenating four octets via .concat('.'), performs an HTTP GET, writes the response body into os.tmpdir() via fs.writeFileSync(path.join(os.tmpdir(), <name>), I.data, {flag:'w+'}), and immediately executes the dropped file with child_process.exec(..., {windowsHide:true, cwd: os.tmpdir()}). process.on('uncaughtException',...) is registered to suppress errors. package.json has empty description, empty author, no repository, no homepage — the package advertises no functionality; its only effect on import is the dropper. The bare-IP destination has no TLS, no pinning, and no signature verification, so the attacker can swap the executed payload at any time.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "04245cd013e6aa9edb766cf14249c9dd6abd19d6beb9671c22a1a8bbbff3d511",
            "id": "IN-MAL-2026-007501",
            "source": "amazon-inspector",
            "modified_time": "2026-06-25T07:21:58Z",
            "versions": [
                "1.0.2"
            ],
            "import_time": "2026-06-25T07:47:52.384390712Z"
        },
        {
            "sha256": "ee921d39777ebc1ec3170ff43dc7c5afd939dd4ae79680536bdb9816067c77bf",
            "id": "IN-MAL-2026-007500",
            "source": "amazon-inspector",
            "modified_time": "2026-06-25T07:21:52Z",
            "versions": [
                "1.0.3"
            ],
            "import_time": "2026-06-25T07:47:52.342307365Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / subsearch

Package

Name: subsearch; View open source insights on deps.dev
Purl: pkg:npm/subsearch

Affected ranges

Affected versions

1.*

1.0.2

1.0.3

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/subsearch/MAL-2026-6457.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "sha256": "4102e142053ebcf58d15583f344421e518407e025a23c6b87785c25efb5310ac",
            "tlsh": "459265c83bc6b0b15633b0bbba0b6096f1b94c9d73899848f796f098fd64318d1b5758",
            "path": "index.js"
        },
        {
            "sha256": "8c2e3475e3414daa3b09abc364482bff022b3c4dcaf10e20539e2eebc4d00dd9",
            "tlsh": "75d0a9341a62663315c502220d29a053b6a0cf2f0004380983df283c90deab36cfa30d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "subsearch-1.0.2.tgz",
            "hashes": {
                "sha1": "cf4f17f4711743ec04d7a9e80a9fcc5aafb36fc9",
                "sha512_sri": "sha512-Q/ClaclcsByLCCqi1ZGMsAGF0WkPMToFn1oiI7ChYJaB6e8D/9JibwpO/uK7m7wMv7gyg5hZW0/FiohurlYyIQ=="
            }
        }
    ]
}