MAL-2026-6564
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@thone33/core-utils/MAL-2026-6564.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6564
- Published
- 2026-06-29T04:50:05Z
- Modified
- 2026-06-29T05:16:43.768034786Z
- Summary
- Malicious code in @thone33/core-utils (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (05561d1a31165dab72c5090437ccfa7a85035a2b4fdf6a646eca59b62dd87120)
@thone33/core-utils 1.0.4 is a loader stub. Its main entry (index.js) imports
activatefrom the same-author dependency@thone33/analytics-injectorand invokes it at module top level wheneverprocess.env.NODE_ENV === 'production'. The author's own inline comment describes this as silently activating a payload in production ('ATIVA O PAYLOAD SILENCIOSAMENTE (em produção)'). The package is advertised as 'Core utilities', which does not justify production-gated invocation of an 'analytics-injector' dependency. The NODE_ENV=production gate is a developer-laptop-dormant / production-fires evasion pattern: consumers' local dev and CI environments see nothing, while deployed production processes execute whatever code the author publishes under @thone33/analytics-injector. Because the injector is in the same author scope and pinned as^1.0.0, the author can ship arbitrary additional code into consumers' production runtimes via a minor/patch release without any change to this package. - Database specific
{ "malicious-packages-origins": [ { "versions": [ "1.0.4" ], "source": "amazon-inspector", "modified_time": "2026-06-29T04:50:23Z", "sha256": "05561d1a31165dab72c5090437ccfa7a85035a2b4fdf6a646eca59b62dd87120", "id": "IN-MAL-2026-007731", "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "import_time": "2026-06-29T05:07:07.880941184Z" }, { "versions": [ "1.0.0" ], "source": "amazon-inspector", "modified_time": "2026-06-29T04:50:48Z", "sha256": "bc21b99e8aa825cc496faec3251ba814d5fdec8a7fe6294407a9b067e0558b2c", "id": "IN-MAL-2026-007734", "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "import_time": "2026-06-29T05:07:08.39959735Z" }, { "versions": [ "1.0.3" ], "source": "amazon-inspector", "modified_time": "2026-06-29T04:50:40Z", "sha256": "cfc57cb70348ed66a74b958d3155234acebe740fd4d72e8c5f4e1fd939ea8ec7", "id": "IN-MAL-2026-007733", "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "import_time": "2026-06-29T05:07:08.121973167Z" }, { "versions": [ "1.0.1" ], "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "modified_time": "2026-06-29T04:50:31Z", "sha256": "0bc45a824950b13adc9f82ee769e0025f4c353cf74a1ddd62e7b9626a8e5ca68", "id": "IN-MAL-2026-007732", "source": "amazon-inspector", "import_time": "2026-06-29T05:07:07.999080066Z" }, { "versions": [ "1.0.5" ], "source": "amazon-inspector", "modified_time": "2026-06-29T04:50:05Z", "sha256": "2e89994f9f3c8da051834049643a2a04df8b6fa9c14452fafceb6080e9f85be9", "id": "IN-MAL-2026-007729", "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "import_time": "2026-06-29T05:07:07.637802061Z" }, { "versions": [ "1.0.2" ], "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "modified_time": "2026-06-29T04:50:14Z", "sha256": "80421aa7cecd55d71cbde625bbb0dd5febc8aef00f32a1a6e1b8601b1c8d2673", "id": "IN-MAL-2026-007730", "source": "amazon-inspector", "import_time": "2026-06-29T05:07:07.758162926Z" } ] }- References
-
- https://www.npmjs.com/package/@thone33/core-utils/v/1.0.4
- https://www.npmjs.com/package/@thone33/core-utils/v/1.0.0
- https://www.npmjs.com/package/@thone33/core-utils/v/1.0.3
- https://www.npmjs.com/package/@thone33/core-utils/v/1.0.1
- https://www.npmjs.com/package/@thone33/core-utils/v/1.0.5
- https://www.npmjs.com/package/@thone33/core-utils/v/1.0.2
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @thone33/core-utils
Package
- Name
- @thone33/core-utils
- View open source insights on deps.dev
- Purl
- pkg:npm/%40thone33%2Fcore-utils
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Database specific
cwes
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
indicators
{
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-9xdmsCJyCWY+HWAfFGkYAC9ME15ErPyczbRweGjzL4YJawsO9GqxRDKIpz4QKsdKhWo23GiOMS8uBKd+Dmtl0A==",
"sha1": "cd417a3214c25e46b200ec502aba1c957cad0ee8"
},
"filename": "core-utils-1.0.4.tgz"
}
],
"evidence_files": [
{
"path": "index.js",
"tlsh": "671197d658c6702102b33375a79a8501f93c2857bea82278b02cd7312f2175893a6c5a",
"sha256": "81e68f85145ccabfac55d8c22c31644cb56d2a70a132a1ba132f6dbfc6fa613b"
},
{
"path": "package.json",
"tlsh": "33e0c2a7c7209c6b02f69795b8a90303f7b0032f6140e85a357c121c8fb12a3e0cda0d",
"sha256": "64760d1671cf65e5a7916a387f3e381b6fea768377f70605cf7c258c39f0ab98"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@thone33/core-utils/MAL-2026-6564.json"