{"id":"MAL-2026-2406","summary":"Malicious code in @ceeferenderer/fe-renderer-sdk (npm)","details":"Multiple evidences suggest malicious intent: code obfuscation, dynamic code execution, process access, install script, and suspicious email.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (feee20bafab758bb648bbe425a100a13e6d21799552a2b5566fe6029faef6ce4)\nPackage runs malicious code both at install time (package.json `install` script: `node index.js`) and at require time (`main: index.js`). index.js silently requires `./lib/core` inside a try/catch. lib/core.js, with the help of two obfuscated helper modules (lib/b02e30.js and lib/6ad264.js), builds the strings 'os', 'dns', and 'oob.sl4x0.xyz' from numeric character-code arrays via String.fromCharCode and loads built-in modules through `module.constructor._load(...)` to evade static inspection. It then assembles the subdomain `ceefe.\u003cusername\u003e.\u003chostname\u003e.\u003ccwd_basename\u003e.\u003cunix_timestamp\u003e.oob.sl4x0.xyz` and issues a `dns.resolve4()` lookup, exfiltrating the installer's OS username, hostname, and working-directory name to an attacker-controlled domain over DNS. The combination of auto-execution on install and require, character-code obfuscation of both the target domain and built-in module names, DNS (rather than HTTP) as the exfil channel, random-hex-named helper files, and silent try/catch swallowing of errors is an unambiguous credential-reconnaissance beacon.\n","modified":"2026-05-13T20:22:19.978593Z","published":"2026-03-24T09:03:41Z","database_specific":{"malicious-packages-origins":[{"sha256":"2a80561f9a54ffd1bb641227597e1f38c12ce2b8a7424d92bdc7d7f30081603c","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"source":"amazon-inspector","modified_time":"2026-04-07T14:24:50Z","import_time":"2026-04-07T14:39:19.852751577Z"},{"sha256":"feee20bafab758bb648bbe425a100a13e6d21799552a2b5566fe6029faef6ce4","source":"amazon-inspector","id":"IN-MAL-2026-002367","modified_time":"2026-05-12T19:03:07Z","versions":["99.9.9"],"import_time":"2026-05-13T20:10:56.480470138Z"}]},"references":[{"type":"REPORT","url":"https://app.safedep.io/community/malysis/01KKPW1C7J4QHM6BSFVA8SRBZZ"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@ceeferenderer/fe-renderer-sdk/v/99.9.9"}],"affected":[{"package":{"name":"@ceeferenderer/fe-renderer-sdk","ecosystem":"npm","purl":"pkg:npm/%40ceeferenderer/fe-renderer-sdk"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["99.9.9"],"database_specific":{"indicators":{"package_integrity":[{"filename":"fe-renderer-sdk-99.9.9.tgz","hashes":{"sha1":"43705aac00398492b82319164749ae5e136541c7","sha512_sri":"sha512-bckRKyZ4wkSujNcOZzwO+nMajqo7Dw6f6WniXDBgE8il8Mq6o7GslYZGo+FthAO+J1rgTYsqYFp/Wl1iSjYJDg=="}}],"evidence_files":[{"sha256":"d24415d02b2768deed6613ba41e3837825889459718a582d352a0805d40a321c","tlsh":"d0f02d69b393c48f97e096d0360a53d18559c3c0e7cf8195fb7c4a87904e7d1ca85a55","path":"lib/core.js"},{"sha256":"8fb4af8838b119058f4dabd6102278e56f9707513813d76dd579c6926292362a","tlsh":"b2e068073307c94fa2880bfb7d0050a1ba0d8b5ca11dc0d6b528678500af443c0c0272","path":"lib/b02e30.js"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@ceeferenderer/fe-renderer-sdk/MAL-2026-2406.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}