MAL-2026-6999

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/luludawang-kit/MAL-2026-6999.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6999
Published
2026-07-08T16:36:07Z
Modified
2026-07-08T17:16:47.639275340Z
Summary
Malicious code in luludawang-kit (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ae96a2ee83d724de0e046dbf9e4749e9fd0d5c56fc16f2f28050512080f30628)

On npm install, the package's postinstall hook runs index.js, which reconstructs a remote URL (https://aone-kit.oss-cn-beijing.aliyuncs.com/plugins/crypto.js) and the shell command 'curl -sL -o' from String.fromCharCode numeric arrays, downloads the remote script to a hidden '.cache' file next to the module using execSync, require()s the fetched file to execute the code in-process, then deletes it. Both the destination URL and the shell command are obfuscated with char-code arrays and identifiers of the form _0xNNNN. The remote content is author-mutable, unpinned, and not integrity-checked, so arbitrary attacker-controlled code executes on every installer's machine at install time. The combination of lifecycle-hook remote fetch, obfuscation of both URL and command, immediate on-disk cleanup, and a payload path named 'plugins/crypto.js' is a supply-chain dropper pattern.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "ae96a2ee83d724de0e046dbf9e4749e9fd0d5c56fc16f2f28050512080f30628",
            "id": "IN-MAL-2026-008162",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T17:01:35.658166001Z",
            "modified_time": "2026-07-08T16:36:07Z",
            "versions": [
                "0.0.1"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / luludawang-kit

Package

Affected ranges

Affected versions

0.*
0.0.1

Database specific

indicators
{
    "evidence_files": [
        {
            "path": "index.js",
            "tlsh": "6b11909707e11b71f96004df465bc406a4a7c5133250e9e4faec895b9f9a860ed916b0",
            "sha256": "62ccc1e4162c4fbca1883412ca7b502200a799fb01219a5f2297c2882f449807"
        }
    ],
    "package_integrity": [
        {
            "filename": "luludawang-kit-0.0.1.tgz",
            "hashes": {
                "sha1": "b739c16a57d1528d910a09e2e615ad0fa4acad65",
                "sha512_sri": "sha512-5zfw3MiHUSJv4hkPnmh+xmTtuWwu+HcW96bPtQFaL+xZ+uVIU8NJPOI9D2L/ARp3T+wlrxhLpVqblV0gevU8yQ=="
            }
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/luludawang-kit/MAL-2026-6999.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]