{"id":"MAL-2026-2528","summary":"Malicious code in sjs-lint-build1 (npm)","details":"sjs-biginteger typosquats big.js on npm. Published April 7, 2026 by throwaway account vanes.s.p.orit.a, the package ships legitimate big.js source and hides its payload in a dependency: sjs-lint-build1. On install, the dependency’s postinstall hook fetches the attacker’s SSH public key from a C2 server, appends it to ~/.ssh/authorized_keys, opens firewall port 22, then collects SSH keys, environment variables, config files (.env, Solana id.json, config.toml), and system fingerprints. It exfiltrates the collected data to two Vercel-hosted C2 domains disguised as Cloudflare services.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (cba6ed57b1eb82592650453ea703d44d9294be1c1c3316f4562ff4f197e6c0f6)\nThe package sjs-lint-build1 was found to contain malicious code.\n","modified":"2026-04-10T17:35:12.516557Z","published":"2026-04-09T14:04:30Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-04-10T17:02:58Z","source":"amazon-inspector","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"import_time":"2026-04-10T17:21:49.017936724Z","sha256":"cba6ed57b1eb82592650453ea703d44d9294be1c1c3316f4562ff4f197e6c0f6"}]},"references":[{"type":"REPORT","url":"https://safedep.io/malicious-sjs-biginteger-npm-ssh-theft/"}],"affected":[{"package":{"name":"sjs-lint-build1","ecosystem":"npm","purl":"pkg:npm/sjs-lint-build1"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sjs-lint-build1/MAL-2026-2528.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}