MAL-2026-6496

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@dervix/ws/MAL-2026-6496.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6496
Published
2026-06-26T01:56:33Z
Modified
2026-06-26T03:31:24.949513912Z
Summary
Malicious code in @dervix/ws (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (79b9ab7431b1a6a1250c089e2ea33f54ad92313f587fbd2aabc020c12be55f69)

Package @dervix/ws impersonates the popular ws WebSocket library — package.json copies the legitimate ws project's homepage (https://github.com/websockets/ws), repository, and author metadata while publishing under an unrelated scope. lib/websocket.js appends ~130KB of heavily obfuscated code after the genuine socketOnError function; this payload executes at require() time via index.js. On import the payload (1) re-spawns the current Node process detached with stdio:'ignore' and windowsHide:true, gated by an obfuscated marker env var so the parent returns cleanly while a daemonized child continues; (2) constructs an AES-256 key by XOR-combining four hardcoded hex Buffers; (3) issues an HTTPS GET (following 3xx redirects) to an encrypted-in-source URL, streams the response to a file under os.tmpdir(), and decrypts it via createDecipheriv; (4) fs.chmodSync(path, 0o755) and child_process.spawn(path,...) with detached:true then unref()s it. Dynamic import('child_process') / import('path') is used to defeat static require audits, and an inspector.url() check short-circuits execution when a debugger is attached. There is no signature verification, no version pinning, and the destination URL is RC4-decoded at runtime so it cannot be inspected statically. Combined with the cloned ws metadata, this is a deliberate typosquat dropper that lands and executes attacker-controlled binary code on any machine that installs and imports the package.

Database specific 
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-26T01:56:33Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T03:14:43.240155747Z",
            "id": "IN-MAL-2026-007578",
            "versions": [
                "8.21.4"
            ],
            "sha256": "09575a7546e1b46b4042a1d2437450ba5b76d3bee8993eba8c0226fe994939f7"
        },
        {
            "modified_time": "2026-06-26T01:56:35Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T03:14:43.309129987Z",
            "id": "IN-MAL-2026-007579",
            "versions": [
                "8.21.3"
            ],
            "sha256": "79b9ab7431b1a6a1250c089e2ea33f54ad92313f587fbd2aabc020c12be55f69"
        }
    ]
}
References
Credits

Affected packages

npm / @dervix/ws

Package

Name
@dervix/ws
View open source insights on deps.dev
Purl
pkg:npm/%40dervix%2Fws

Affected ranges

Affected versions

8.*
8.21.3
8.21.4

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@dervix/ws/MAL-2026-6496.json"
indicators 
{
    "package_integrity": [
        {
            "filename": "ws-8.21.4.tgz",
            "hashes": {
                "sha1": "9fc819c0759204582891ca568505ab462871649b",
                "sha512_sri": "sha512-cod5UXd7dbwOoPBDGoBI+tXE1IZ4tkfFc3rxPD0oFgRC29wrNvE2s/xOBX3NKSFfL9+UmIk1eTqNuhCuULNcWA=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "ced31a85befa31af51a251b3121f6186f1299c5ab308c458f41dcdecbf5523cd2b26ac",
            "path": "lib/websocket.js",
            "sha256": "30caa0b3ebb980d49f89ff3b9f545e4c0ff91b939e7ac91bfe9ee9b46d5b79b3"
        }
    ]
}
cwes 
[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]