{"id":"MAL-2026-4230","summary":"Malicious code in cryptoco-auth (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (46f83b7a7a5e28fe4fadbd72b0d38ff322210501ef54807160a13b7d797e6c68)\nOn require(), index.js opens TCP connections to the cloud link-local metadata address 169.254.169.254 across ports 80, 443, 8080, 3000, 5432, and 6379, writing an HTTP probe on each successful connection. The package advertises itself as a crypto authentication library but contains no authentication code — its only runtime behavior is reconnaissance against the AWS/cloud Instance Metadata Service, a well-known precursor to IMDS credential theft on cloud VMs. The package manifest is minimal (no description, author, or repository), and the IP literal is annotated with an Indonesian-language comment explicitly identifying it as the AWS Metadata IP. The lure-style name combined with reconnaissance behavior and absent legitimate functionality is consistent with a malicious package targeting cloud-hosted installers.\n\n## Source: ossf-package-analysis (224727792d7795e1dff1348ad30dad0de77689bf284ac571b7aee280b49b5774)\nThe OpenSSF Package Analysis project identified 'cryptoco-auth' @ 1.0.6 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-05-26T06:02:26.197225742Z","published":"2026-05-21T20:21:43Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.6"],"source":"ossf-package-analysis","modified_time":"2026-05-21T21:40:31Z","sha256":"224727792d7795e1dff1348ad30dad0de77689bf284ac571b7aee280b49b5774","import_time":"2026-05-21T22:53:48.526378775Z"},{"versions":["1.0.3"],"source":"ossf-package-analysis","modified_time":"2026-05-21T21:15:38Z","sha256":"8e54c788edf1e2414d974f83e976140d5249c5cc2473c2ed15339c7b030a3d5e","import_time":"2026-05-21T22:53:48.416193578Z"},{"id":"IN-MAL-2026-004025","source":"amazon-inspector","versions":["1.0.3"],"modified_time":"2026-05-21T20:55:32Z","sha256":"701d494408614029714cc75d7b55fc25fd283cde3e67c728a99f98515b2df097","import_time":"2026-05-26T05:51:47.565891245Z"},{"id":"IN-MAL-2026-004041","source":"amazon-inspector","modified_time":"2026-05-21T21:56:40Z","sha256":"b9e90e6575a4d037bcad6cf0de4dd5ce096909402ecf6d56fb693290ab5ff678","versions":["1.0.8"],"import_time":"2026-05-26T05:51:49.533695102Z"},{"id":"IN-MAL-2026-004016","source":"amazon-inspector","sha256":"c4eaaae32c756652d1a54fdc6960de4c1b8eb440128ed1a55b7970e50f44b07e","modified_time":"2026-05-21T20:21:43Z","versions":["1.0.0"],"import_time":"2026-05-26T05:51:46.544436411Z"},{"id":"IN-MAL-2026-004032","source":"amazon-inspector","sha256":"080d1711ace6d140b06304a1ef00ad0b79a8766248507dde481f77bab18e3394","versions":["1.0.4"],"modified_time":"2026-05-21T21:07:36Z","import_time":"2026-05-26T05:51:48.483585564Z"},{"id":"IN-MAL-2026-004017","source":"amazon-inspector","modified_time":"2026-05-21T20:30:30Z","versions":["1.0.1"],"sha256":"295fd89295cd5ef408838ff18e43c0f904a99c23bb3a3a83c8af6498fe9702d6","import_time":"2026-05-26T05:51:46.637876038Z"},{"id":"IN-MAL-2026-004036","source":"amazon-inspector","modified_time":"2026-05-21T21:42:38Z","sha256":"46f83b7a7a5e28fe4fadbd72b0d38ff322210501ef54807160a13b7d797e6c68","versions":["1.0.7"],"import_time":"2026-05-26T05:51:48.916076208Z"},{"id":"IN-MAL-2026-004035","source":"amazon-inspector","modified_time":"2026-05-21T21:36:52Z","versions":["1.0.6"],"sha256":"6f90ded2b67d3d8055dd473d8c7b2e9b23f8466f1df2045ebe2c9c597438a447","import_time":"2026-05-26T05:51:48.818786723Z"},{"id":"IN-MAL-2026-004024","source":"amazon-inspector","versions":["1.0.2"],"modified_time":"2026-05-21T20:52:30Z","sha256":"79f6465edc658272b6e1cb444427a312096100bee99022f17b7ec9abfa308d92","import_time":"2026-05-26T05:51:47.430489912Z"},{"id":"IN-MAL-2026-004034","source":"amazon-inspector","modified_time":"2026-05-21T21:18:32Z","versions":["1.0.5"],"sha256":"9a686605cb26b04a1ed6ddcb32e18b06772ae353511851d7f5c677d3aa597c7e","import_time":"2026-05-26T05:51:48.727144496Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/cryptoco-auth/v/1.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/cryptoco-auth/v/1.0.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/cryptoco-auth/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/cryptoco-auth/v/1.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/cryptoco-auth/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/cryptoco-auth/v/1.0.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/cryptoco-auth/v/1.0.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/cryptoco-auth/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/cryptoco-auth/v/1.0.5"}],"affected":[{"package":{"name":"cryptoco-auth","ecosystem":"npm","purl":"pkg:npm/cryptoco-auth"},"versions":["1.0.6","1.0.3","1.0.8","1.0.0","1.0.4","1.0.1","1.0.7","1.0.2","1.0.5"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cryptoco-auth/MAL-2026-4230.json","indicators":{"package_integrity":[{"filename":"cryptoco-auth-1.0.3.tgz","hashes":{"sha1":"cf0cf9275bb86450baba34274304b1c928d5058f","sha512_sri":"sha512-jZn6Nzqgx+rzlDxiv37JuV6aIDUPJ+0F9GIWCn/fFBE+o8KkkYrRkZup5y7UeADSaHOB6P+14PdBlkVfs8oeWQ=="}}],"evidence_files":[{"sha256":"8883b689ad5a9726da5a3592717f44ea46b581468c6bff30ce3a934d959a824f","path":"index.js","tlsh":"19f0d3e1a25413fd5aa39ec03053a2144163e426b507a8e053cc02726fcc52d91779ec"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}