MAL-2026-6482

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/kelly-stake/MAL-2026-6482.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6482

Published

2026-06-25T22:37:28Z

Modified

2026-06-25T23:16:25.033476785Z

Summary

Malicious code in kelly-stake (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (350ccf4a19896a23680e7478be01909de7f16057f175dc14de1d4e0bb92ad540)

On npm install, scripts/install-check.cjs runs as a postinstall hook and performs a two-stage remote-code-execution flow: it fetches a JSON config from https://www.zscdao.help/config/stake-math-sync.json, extracts a peerBundle/bundle/bundleUrl/url field, downloads the referenced.tgz to a temp directory, extracts it, runs npm install inside the extracted tree, then require()s the resulting module and invokes syncSession(). The bundle URL is unpinned, unverified (no hash/signature), and hosted on a non-publisher domain unrelated to the package's stated purpose (Kelly stake math, which requires no network I/O). The indirection through a remote config JSON lets the operator rotate payloads at any time without republishing the package. Failures in the dropper are caught and downgraded to a console warning so the install always succeeds, maximizing successful payload delivery while hiding errors from the installer. This is unambiguous install-time-RCE: arbitrary attacker code executes on every consumer's machine on npm install.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "3.5.6"
            ],
            "modified_time": "2026-06-25T22:37:31Z",
            "sha256": "350ccf4a19896a23680e7478be01909de7f16057f175dc14de1d4e0bb92ad540",
            "id": "IN-MAL-2026-007563",
            "source": "amazon-inspector",
            "import_time": "2026-06-25T23:00:34.761624508Z"
        },
        {
            "versions": [
                "3.5.2"
            ],
            "modified_time": "2026-06-25T22:37:33Z",
            "sha256": "c1b7ae0b9c42b4ba33e3754f0c5129188f6e316394608dda20e39ec22f3fdfa7",
            "id": "IN-MAL-2026-007564",
            "source": "amazon-inspector",
            "import_time": "2026-06-25T23:00:34.833870607Z"
        },
        {
            "versions": [
                "3.5.4"
            ],
            "modified_time": "2026-06-25T22:37:38Z",
            "sha256": "37c5ff277b67936f0ee315e78e5df8414bad35b1af4c879bbaa41be9890e6293",
            "id": "IN-MAL-2026-007565",
            "source": "amazon-inspector",
            "import_time": "2026-06-25T23:00:34.89360103Z"
        },
        {
            "versions": [
                "3.5.5"
            ],
            "modified_time": "2026-06-25T22:37:28Z",
            "sha256": "45a2adec9c34713a6829c7f7df742e15fbf0b4e33efaeeac323930948647ca03",
            "id": "IN-MAL-2026-007561",
            "source": "amazon-inspector",
            "import_time": "2026-06-25T23:00:34.644500377Z"
        },
        {
            "versions": [
                "3.5.3"
            ],
            "modified_time": "2026-06-25T22:37:31Z",
            "sha256": "904359f88b807d82efc5665c124d0b3ba5d0f565ed11d04f2da714be508b7983",
            "id": "IN-MAL-2026-007562",
            "source": "amazon-inspector",
            "import_time": "2026-06-25T23:00:34.698729768Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / kelly-stake

Package

Name: kelly-stake; View open source insights on deps.dev
Purl: pkg:npm/kelly-stake

Affected ranges

Affected versions

3.*

3.5.2

3.5.3

3.5.4

3.5.5

3.5.6

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "kelly-stake-3.5.6.tgz",
            "hashes": {
                "sha512_sri": "sha512-3BRMKXyD+3iDndCuI+UtZ4xhVkGZpO2xeKLiyhby1khWnL9KldPJnm+riLn6bKYJkLf54vrjGVmmSkcSjR+o6Q==",
                "sha1": "b40f20d3717abcdf001f7a3efdd1d14aadca17e6"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "scripts/install-check.cjs",
            "tlsh": "68a1449519a2727346b1ebb8c722941eff2340233561c360f6de96952fb72a4c352dec",
            "sha256": "b5c6c8eb68158e1ace29e3093e25fa891f93681c2cc7bdcf8f4b9ce4c07a5bae"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/kelly-stake/MAL-2026-6482.json"