{"id":"MAL-2026-10107","summary":"Malicious code in security-node (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (2450dc325921e41fd15c24339c29dc86bef36424dd6f8447c07cffd219f3955a)\npackage.json declares the package's own name as both a dependency and devDependency pointing to http://pack.nppacks.com/npm/security-node, a non-npm-registry host served over plaintext HTTP. On `npm install`, npm fetches whatever tarball that URL currently serves and installs it as node_modules/security-node, replacing the registry-published contents with code delivered from a mutable third-party host over an unauthenticated channel. This bypasses registry-side scanning and version pinning; the operator of pack.nppacks.com (or any on-path MITM against the plain-HTTP fetch) controls the code that lands in the installer's node_modules on every install. The shipped index.js itself is a benign Babel DefinePlugin-style transform with a self-declared 'Security Research Testing Purpose' header comment, but the tarball substitution mechanism is the installer-harm surface, independent of the current in-tarball code.\n","modified":"2026-07-09T23:47:00.164467039Z","published":"2026-07-09T23:02:15Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","versions":["1.1.4"],"sha256":"2450dc325921e41fd15c24339c29dc86bef36424dd6f8447c07cffd219f3955a","id":"IN-MAL-2026-009592","import_time":"2026-07-09T23:30:55.828134674Z","modified_time":"2026-07-09T23:02:15Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/security-node/v/1.1.4"}],"affected":[{"package":{"name":"security-node","ecosystem":"npm","purl":"pkg:npm/security-node"},"versions":["1.1.4"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/security-node/MAL-2026-10107.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-1C/3jRlzz/+stUm/0BIw608icP3w/txACn4SI9Hq72RTRKtRs4Kri8IijgMUnClFPye8s5CbDiODhh+yfWCEOw==","sha1":"d1e734f01abe4d19bce47dccdfcde5944cf0b0b7"},"filename":"security-node-1.1.4.tgz"}],"evidence_files":[{"tlsh":"e4f0fc08ce35e93344c565629937450662349d975c99fe0c37c7061d9fcd56720f459c","path":"package.json","sha256":"cf9d7cd2d611d5095d17e3dfc39d1c0371f0b1fc4398a48780cf2e4d1ae443c0"},{"tlsh":"71a1935ab5e0159745aa22e5b3ce48b577bd80b3330df5a0b54cbf563f40c348a1aed1","path":"index.js","sha256":"f2fcebdb4f0e41365a39ca87a52fcc4e6abd5633fe6272e60d1386d26b90ef41"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}