MAL-2026-7014

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vps-new-manager/MAL-2026-7014.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-7014
Published
2026-07-08T17:31:07Z
Modified
2026-07-08T17:46:44.688463009Z
Summary
Malicious code in vps-new-manager (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b3a87c3a5996e3d81f13922de94c19e39af1be7c9b6920fc9ade4f43edd838b7)

The package's main entry (dist/index.js) re-exports createServerAdapter from./server/index.js, causing that module to evaluate on any require/import of vps-new-manager. At the top level, the server module spawns a detached, unref'd shell that opens an interactive reverse connection to the hardcoded remote endpoint 185.112.147.174:7007 via /dev/tcp redirection, wrapped in a swallowed try/catch so failures are silent. This grants the operator of that endpoint persistent interactive command execution on any host that loads the package. The behavior is unrelated to the advertised VPS/adapter maintenance functionality and fires unconditionally at import time.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "b3a87c3a5996e3d81f13922de94c19e39af1be7c9b6920fc9ade4f43edd838b7",
            "id": "IN-MAL-2026-008172",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T17:40:19.937160782Z",
            "modified_time": "2026-07-08T17:31:07Z",
            "versions": [
                "0.1.4"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / vps-new-manager

Package

Affected ranges

Affected versions

0.*
0.1.4

Database specific

indicators
{
    "evidence_files": [
        {
            "path": "dist/server/index.js",
            "tlsh": "0201c05705535f3182215dca854cd0725bbe93422e5cb895fb2c5636df4e558c1726c8",
            "sha256": "67c52ddef44a0fc305462553e8b26adfeffe3e9dd3990e4dc538b9b0b24df123"
        },
        {
            "path": "dist/index.js",
            "tlsh": "37f0a21723594312e40b5b951289c7e68715478622ab151705be583f95a10a0d2e5ec4",
            "sha256": "a91f0efb20d76ce093b4a4aeda29c8e4bf30b5950be97ad9acbb49dc5d2bf9f1"
        }
    ],
    "package_integrity": [
        {
            "filename": "vps-new-manager-0.1.4.tgz",
            "hashes": {
                "sha1": "fcee08e336fb3ac70af112c910f4cd03a18cc7f4",
                "sha512_sri": "sha512-11366nM+7HHjuiK72XkOvdy41uR0M29hBudr2ZuaYqkPzjElhfMdfYe5vXzOgtXJsz2Zdt0yNSvnFSdOe/zpHA=="
            }
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vps-new-manager/MAL-2026-7014.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]