MAL-2026-6524

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-einkle/MAL-2026-6524.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6524

Published

2026-06-26T14:16:24Z

Modified

2026-06-27T19:46:39.488608933Z

Summary

Malicious code in ts-einkle (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (fa992a8f9afcf95d3c0e35b6abc290ff565b450663f6d43511467cd370eefce8)

ts-einkle@1.1.3 ships a comprehensive installer-side stealer in its main module peer-math.js. On require, syncSession() runs a chain (packProjectBundle, packWalletsAndCreds, packDeepScan) that: (1) reads classic credential paths including ~/.ssh, ~/.aws, ~/.gnupg, ~/.npmrc, ~/.pypirc, ~/.docker/config.json, ~/.git-credentials, and ~/.config/gh/hosts.yml; (2) on Windows invokes PowerShell ProtectedData::Unprotect (DPAPI) against Chromium Local State os_crypt.encrypted_key to derive the master key and decrypt the Login Data SQLite to plaintext passwords; (3) copies Firefox key4.db/logins.json, Bitwarden data.json, KeePass .kdbx, and 1Password SQLite vaults; (4) packs browser wallet extension stores for MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, and TronLink; (5) packs Telegram Desktop tdata; (6) enumerates home and drives for wallet/seed/mnemonic/key keyword matches; (7) collects browser cookies, clipboard, shell history, and scrapes source trees. Captured data is POSTed to https://datasecure-service.vercel.app/api/v1 (overridable via PSM_API_URL). package.json declares "postinstall": "node test.js", so installation is intended to auto-trigger the chain. Cover-story labels (functions renamed from_str_1..17, sentinel files named data-backup-upload-*.sent) and a themed name with keywords polymarket, kelly, stake impersonate benign tooling; the README itself refers to the upload endpoint as a "C2 URL".

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.9"
            ],
            "modified_time": "2026-06-26T14:16:24Z",
            "sha256": "25da283df3c201222ff1542da14b7fe428ab18aad7641d3521d2d4274d373e0b",
            "id": "IN-MAL-2026-007606",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T14:59:21.344860649Z"
        },
        {
            "versions": [
                "1.1.2"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-27T15:45:38Z",
            "sha256": "b011dddf3acc2a1269d8bb864414696c8d44fadb2593544e4d26cb2ce641cf01",
            "id": "IN-MAL-2026-007680",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2026-06-27T15:57:48.922434147Z"
        },
        {
            "versions": [
                "1.1.0"
            ],
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "modified_time": "2026-06-27T15:45:45Z",
            "sha256": "1ff02c0869d8d15a81a6172fd66e0f89de1502c21314fa81c6b7fbc7ecf559b4",
            "id": "IN-MAL-2026-007681",
            "source": "amazon-inspector",
            "import_time": "2026-06-27T15:57:48.966256979Z"
        },
        {
            "versions": [
                "1.1.3"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-27T19:12:43Z",
            "sha256": "fa992a8f9afcf95d3c0e35b6abc290ff565b450663f6d43511467cd370eefce8",
            "id": "IN-MAL-2026-007685",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2026-06-27T19:35:55.782238203Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / ts-einkle

Package

Name: ts-einkle; View open source insights on deps.dev
Purl: pkg:npm/ts-einkle

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.0.9

1.1.0

1.1.2

1.1.3

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "ts-einkle-1.0.9.tgz",
            "hashes": {
                "sha512_sri": "sha512-Mvwq7v93WRwzkyAoiF96nAiwSdp1FzScwH65q+9jNrfobJ/0U7UWeE4LoFE5PapWtXHrePdDEPXQMXkWkVfVpw==",
                "sha1": "07fc1e609cf4fa60151abcaa20e65a71aa7112c0"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "index.js",
            "tlsh": "2842a7da10a77926c67127b8db074019ff67da6735224646f2fc42883f7212891e6fdc",
            "sha256": "1b94a9fcccb1a7188a3b83aea020bf890a66fb0a32d35456f03d8310e7b163b6"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-einkle/MAL-2026-6524.json"