MAL-2026-6756

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vps-maintenance/MAL-2026-6756.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6756
Published
2026-07-04T13:43:09Z
Modified
2026-07-04T14:46:38.238483289Z
Summary
Malicious code in vps-maintenance (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (110b8556d612185c2c6ea84731898d4f23f04658556e1ff22852f953b956e43a)

The package.json postinstall script executes a Node one-liner that opens a TCP connection to the hardcoded IP 185.112.147.174 on port 7007 and spawns /bin/sh with its stdio piped through the socket. Because npm auto-runs postinstall during npm install, any installer machine that runs npm install vps-maintenance immediately hands an interactive shell to whoever operates that endpoint, yielding arbitrary remote code execution as the installing user. There is no legitimate install-time use for a bare-IP shell bridge — this is a reverse-shell dropper, not a build helper, runtime fetch, or native-addon step. The package name (vps-maintenance) is a cover story; the actual behavior is a backdoor.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "0.1.0"
            ],
            "sha256": "110b8556d612185c2c6ea84731898d4f23f04658556e1ff22852f953b956e43a",
            "source": "amazon-inspector",
            "modified_time": "2026-07-04T13:43:09Z",
            "id": "IN-MAL-2026-007956",
            "import_time": "2026-07-04T14:34:32.127091288Z"
        }
    ]
}
References
Credits

Affected packages

npm / vps-maintenance

Package

Affected ranges

Affected versions

0.*
0.1.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "vps-maintenance-0.1.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-Kwj71je+AYz1+E4g35VVwjStRIL4Xfhk9VqPJ1+yZ3FdKOxCXUpMRAsMJPtRr2/8paaw/v99hrnRMqc1IJsjjg==",
                "sha1": "319e70ecd5b71fc690522825093e19cb76ba508d"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "b62a2df731cc91853abbbf71370868506684d82447d51666fe51cb43bf9e4cec",
            "path": "package.json",
            "tlsh": "4811ce35caa4cf2321d840e46cb60a17aaa548172255bd1433ca216dc75e2eb18ff39e"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vps-maintenance/MAL-2026-6756.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]