{"id":"MAL-2026-4384","summary":"Malicious code in @dreamlake/lakeshore (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8ef6f14503697000ebd139364326d859a625a27a669e6f53b3e7a9388c3b0b25)\nOn install, dist/cli/daemon/install.js fetches content from https://pub-c0109e197b4a4d1abe5884ac4dd3a023.r2.dev — an anonymous Cloudflare R2 bucket — and posts to remote endpoints. Anonymous R2 buckets (pub-*.r2.dev) are documented payload-distribution infrastructure used by recent npm dropper campaigns: the bucket owner can rotate the served bytes at any time without changing the package, and there is no publisher-matching, no version pinning, and no integrity check tying the fetched content to this package. The host does not match any documented publisher domain for @dreamlake/lakeshore. This is the malicious-dropper shape — install of the package causes execution of attacker-mutable remote content on the installer's machine.\n","modified":"2026-05-27T00:31:54.717370444Z","published":"2026-05-23T17:57:32Z","withdrawn":"2026-05-26T17:59:39Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:52:50.585222726Z","source":"amazon-inspector","versions":["0.1.17"],"sha256":"8ef6f14503697000ebd139364326d859a625a27a669e6f53b3e7a9388c3b0b25","id":"IN-MAL-2026-004560","modified_time":"2026-05-25T00:11:57Z"},{"import_time":"2026-05-26T05:52:28.713382918Z","source":"amazon-inspector","versions":["0.1.16"],"sha256":"a722945fb02975cc590fa4f04111019077c605524db3b327e215b1d414b1fc64","id":"IN-MAL-2026-004376","modified_time":"2026-05-23T17:57:32Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@dreamlake/lakeshore/v/0.1.17"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@dreamlake/lakeshore/v/0.1.16"}],"affected":[{"package":{"name":"@dreamlake/lakeshore","ecosystem":"npm","purl":"pkg:npm/%40dreamlake%2Flakeshore"},"versions":["0.1.17","0.1.16"],"database_specific":{"indicators":{"package_integrity":[{"filename":"lakeshore-0.1.17.tgz","hashes":{"sha1":"b46918a7538274a4215233f492458191e45e872e","sha512_sri":"sha512-F35WcXRVY/MYUpfREXeTMYRBuiVpia4BLfb0JaKYyaqzzK7LQW6Y8z8BzAnnaa7xNeeZ7dl576sheLaKEJHjNg=="}}],"evidence_files":[{"path":"dist/cli/daemon/install.js","tlsh":"c182f9551473233a16f2a8f9a71fb061ea29901b6708ed20b40ee3551fcd16960efff6","sha256":"9a135b9e89303d943157cc44d10ef9e0df730815639fb3461c7b3663acf5a107"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@dreamlake/lakeshore/MAL-2026-4384.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}