{"id":"MAL-2026-3775","summary":"Malicious code in tsliverhome (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (0855b4d02a0d276e8a6cf97b7c62d457b8ef4d851e243d758c2308d451e0876e)\nPackage name 'tsliverhome' impersonates the widely-used 'tslib' package (~300M weekly downloads). The shipped README.md is a verbatim copy of Microsoft/tslib's README (titled '# tsliv', describing the TypeScript --importHelpers runtime library), designed to reassure a developer who mistyped the name. The actual code in index.js has no relation to tslib: the exported getPlugin() function issues an HTTP GET to https://verceljs-kappa.vercel.app/icons/23, JSON.parses the response body, and passes it directly to eval(). The destination is a generic Vercel preview-style host not tied to any declared publisher, is not version-pinned, and the fetched bytes are not hash- or signature-verified. Any consumer who imports this package and calls getPlugin() will execute arbitrary JavaScript under the control of whoever operates verceljs-kappa.vercel.app. Supporting signals: package.json ships placeholder metadata (empty description, empty author, no repository, no homepage), consistent with throwaway-publisher typosquat packages. The combination of (a) name-confusion with a top-tier target, (b) README impersonation of that target, and (c) a remote-fetch-and-eval payload in the exported API constitutes a deliberate supply-chain attack against developers who mistype 'tslib'.\n","modified":"2026-05-15T07:51:35.760415Z","published":"2026-05-14T19:25:45Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","sha256":"0855b4d02a0d276e8a6cf97b7c62d457b8ef4d851e243d758c2308d451e0876e","modified_time":"2026-05-14T19:25:45Z","versions":["1.0.0"],"id":"IN-MAL-2026-002751","import_time":"2026-05-15T07:37:18.889046706Z"},{"source":"amazon-inspector","sha256":"5c4db6a48fc6f6bbda3c925104e3e6acd47c5d21462bbef4788fc4398b75d6ef","modified_time":"2026-05-14T19:25:45Z","versions":["1.1.3"],"id":"IN-MAL-2026-002752","import_time":"2026-05-15T07:37:18.992673854Z"},{"source":"amazon-inspector","sha256":"a864c875216fe3cb9b5f1c2bd83f8145cba56f4c5fe7b16ede8296984743f5e7","modified_time":"2026-05-14T19:25:46Z","versions":["1.1.4"],"id":"IN-MAL-2026-002753","import_time":"2026-05-15T07:37:19.031866925Z"},{"source":"amazon-inspector","sha256":"b67461921c7e465510602304d712f8caa79c28204ffb7861c3b0feb264ca8476","modified_time":"2026-05-14T19:25:46Z","versions":["1.1.5"],"id":"IN-MAL-2026-002754","import_time":"2026-05-15T07:37:19.068122454Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/tsliverhome/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/tsliverhome/v/1.1.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/tsliverhome/v/1.1.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/tsliverhome/v/1.1.5"}],"affected":[{"package":{"name":"tsliverhome","ecosystem":"npm","purl":"pkg:npm/tsliverhome"},"versions":["1.0.0","1.1.3","1.1.4","1.1.5"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tsliverhome/MAL-2026-3775.json","indicators":{"package_integrity":[{"hashes":{"sha1":"dc752fc0466fba8066f5358150009e4c85c46a8d","sha512_sri":"sha512-6rXjAfs5RisJsxUcSxLOYWCk9Jvqd1zly8VGVcGoyfiRG1OBwpUAlti+VFMGWU0K6lXxfJaPsFoUsH6bBvSEYg=="},"filename":"tsliverhome-1.0.0.tgz"}],"evidence_files":[{"sha256":"53d1dd98792e6d019dfc401ab0e7350892c0408e6821d9fdea7974ab05872bee","tlsh":"05811e8e6e47dabd9ab165577e3bd40cf628e00f2f648841782c59394733e89022e719","path":"README.md"},{"sha256":"e300425a83e4f465a990399e5f2cae4549b51660d0df9394ec4650a381a53fcf","tlsh":"1a5144921c9021235672efe45607c524f625f22a325282b2b9afc5c02fb7a94a693ccc","path":"index.js"},{"sha256":"8590bb596adc06fdb244bc908020dfb6f7feb9480ab4f76a23a164371ad13083","tlsh":"7ce02024cd20992308c961925c7d5087a660ee1f0804fc0d93db196c8bce57718fd35d","path":"package.json"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}