{"id":"MAL-2026-4377","summary":"Malicious code in @ctrl/plex (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (20e1aad15739a79a359d88099a004fa395b66df8845c10823824e848f095c568)\nThe @ctrl/* npm scope was compromised in the Shai-Hulud supply-chain incident (September 2025). Versions of @ctrl/plex published during and after the compromise window have been observed shipping credential-harvesting payloads that exfiltrate developer secrets (npm tokens, GitHub tokens, cloud credentials, SSH keys) and self-propagate by republishing other packages owned by the same maintainer. @ctrl/plex@6.0.0 falls within the affected version range for this scope. Installing this version is expected to execute attacker-controlled code that harvests installer credentials and attempts further package compromise.\n","modified":"2026-05-27T00:31:54.576203984Z","published":"2026-05-20T19:34:41Z","withdrawn":"2026-05-26T17:12:48Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:50:56.773305951Z","versions":["6.0.0"],"modified_time":"2026-05-20T19:34:41Z","id":"IN-MAL-2026-003603","source":"amazon-inspector","sha256":"20e1aad15739a79a359d88099a004fa395b66df8845c10823824e848f095c568"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@ctrl/plex/v/6.0.0"}],"affected":[{"package":{"name":"@ctrl/plex","ecosystem":"npm","purl":"pkg:npm/%40ctrl%2Fplex"},"versions":["6.0.0"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-jePuUoidz7OHUOAYSnLBrBNWISj2+dy6t7oIRCVGZbj/rFOgFpic1Nwuks2IPoZ0J6J7kTKR0+yXyRzBLkafuw==","sha1":"8335acc541bae5d1dc6efc400e9a72eb6bfa44ed"},"filename":"plex-6.0.0.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@ctrl/plex/MAL-2026-4377.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}