MAL-2026-6575

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@ibrahim1337/baksen/MAL-2026-6575.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6575

Published

2026-06-29T05:24:50Z

Modified

2026-06-29T07:16:43.477970588Z

Summary

Malicious code in @ibrahim1337/baksen (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3594b83aa12e5ab4985211494b6b6f73f6def91aae1210e0ae55f28e572d79a8)

Package @ibrahim1337/baksen@2.0.3 is a Windows x64 browser credential stealer. The entry point loads bytenode and executes the V8-bytecode-compiled index.jsc, which detects installed Chromium-family browsers (Chrome, Brave, Edge), terminates the browser processes via taskkill /F /IM to release database locks, reads each browser's Local State to extract the app_bound_encrypted_key, then invokes a shipped native Windows addon at build/Release/debugelevator.node to perform an App-Bound Encryption bypass via a debug session against the browser process. The decrypted master key is then used to read each browser profile's Cookies and Login Data SQLite databases (SELECT encrypted_value FROM cookies, SELECT origin_url, username_value, password_value FROM logins) and write cleartext cookies and saved passwords to local _cookies/ and _passwords/ directories. The package ships no C/C++ source and no binding.gyp — the 676 KB prebuilt .node binary exists solely to defeat Chromium App-Bound Encryption. A companion src/license.jsc is js-confuser obfuscated (numeric string-array, control-flow flattening, base64 decoders) and constructs a remote license-check URL, further hiding behavior from source review. The package has no README, repository is a placeholder (yourusername), and the description is just baksen — cover-story metadata for a credential-theft toolkit. Installing and running this package on Windows results in theft of the developer's browser cookies (live session tokens) and saved website passwords.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "2.0.1"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-29T05:24:50Z",
            "sha256": "2f30b699682dfdb02ea4c678ae852f449ee33f3aff57b44206a52387fdacf996",
            "id": "IN-MAL-2026-007737",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2026-06-29T07:09:09.013244589Z"
        },
        {
            "versions": [
                "2.0.3"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-29T05:25:16Z",
            "sha256": "3594b83aa12e5ab4985211494b6b6f73f6def91aae1210e0ae55f28e572d79a8",
            "id": "IN-MAL-2026-007740",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2026-06-29T07:09:09.236457233Z"
        },
        {
            "versions": [
                "1.5.0"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-29T05:25:07Z",
            "sha256": "3c70e5ca03f88c3002eb0d2dcb4bd54dd235b13e91565d112deb4fa370181010",
            "id": "IN-MAL-2026-007739",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2026-06-29T07:09:09.156398945Z"
        },
        {
            "versions": [
                "2.0.0"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-29T05:24:58Z",
            "sha256": "491ac4df82e71d23eb5184150e9890b8aaaf00183be840b75e14ec1c6ff986a3",
            "id": "IN-MAL-2026-007738",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2026-06-29T07:09:09.100161745Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @ibrahim1337/baksen

Package

Name: @ibrahim1337/baksen; View open source insights on deps.dev
Purl: pkg:npm/%40ibrahim1337%2Fbaksen

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.5.0

2.*

2.0.0

2.0.1

2.0.3

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "baksen-2.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-OQJUvMWDMG7j4bihgl6aZChSKAcMv6pMAK6U0JL/HGitnGI8RnrGyJiP96bG5fxQRNaZIFBEWSeSLMmrEGaJlQ==",
                "sha1": "74c127d3f042c977cf8976352347ce5249c2d132"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "index.jsc",
            "tlsh": "67133a117f9eaa6bf469537240af1242373bd5163f23831b170a512f2da39e86ece315",
            "sha256": "1d7cd48aa929293a396053dbfff97878d17ba0010e171c8d64c279cc11f6996b"
        },
        {
            "path": "build/Release/debugelevator.node",
            "tlsh": "5ce4f7a7ed407476ec34503589d3076ba37fb1819362828b2758253e6e97be42f36f84",
            "sha256": "50c07a8c2b625d2e6a53eb3751aab9a7357e5a89b66464877086d02cdfc1f627"
        },
        {
            "path": "index.js",
            "tlsh": "00a011c82bb2a2ce22288080c8a08a0238c2c0b0000a8020aa008aea00c88c80aa8cb0",
            "sha256": "709925e9a9275afd5297350972e52a83a209f5692a3e488e10f7a8e41356fa7f"
        },
        {
            "path": "package.json",
            "tlsh": "1b112164c4b40ca31bd83990ec7e1a46b2625c478968fc0933e3521c9f9e4a712be67d",
            "sha256": "58a7fc787d2c6b205b7c3b91108c268f841f4205b8bd24a31095ecf39adef464"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@ibrahim1337/baksen/MAL-2026-6575.json"