{"id":"MAL-2026-4399","summary":"Malicious code in @kedem/okdb (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (cfce9a94c70e54caff77645f380418abda1bb1a38ad9cda61f6fbeaa482e2fed)\nThe package's CLI entry point at bin/okdb.js is a heavily obfuscated single-line bundle (hex-mangled symbols like _0x2a69e2/_0x5d02f6) that constructs HTTP POST requests to a hardcoded host (node-a.example.com) while reading process.env values and invoking 'ping' commands. The combination of (a) hex-obfuscated variable naming consistent with deliberate concealment, (b) a hardcoded remote POST destination embedded directly in the bundle, and (c) process.env reads adjacent to the network call inside the same obfuscated scope is the canonical command-and-control / environment-exfiltration shape. The bin entry runs whenever an installer invokes the CLI, transmitting host and environment data to the attacker-controlled endpoint. A second file okdb.js at the package root contains additional hardcoded POST patterns reinforcing the same network behavior.\n","modified":"2026-05-27T00:31:56.144454270Z","published":"2026-05-21T11:28:39Z","withdrawn":"2026-05-26T18:08:08Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","modified_time":"2026-05-21T11:28:39Z","import_time":"2026-05-26T05:51:20.737243422Z","id":"IN-MAL-2026-003803","versions":["1.8.3"],"sha256":"cfce9a94c70e54caff77645f380418abda1bb1a38ad9cda61f6fbeaa482e2fed"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@kedem/okdb/v/1.8.3"}],"affected":[{"package":{"name":"@kedem/okdb","ecosystem":"npm","purl":"pkg:npm/%40kedem%2Fokdb"},"versions":["1.8.3"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@kedem/okdb/MAL-2026-4399.json","indicators":{"package_integrity":[{"hashes":{"sha1":"cf3f8a70cc0d0e7c6f338e07a30692aaed6c820f","sha512_sri":"sha512-xi0cHUad3dH7GBCh9202hDRTKuhSceK2LWa/ZL7n4R0eHLWPq5p8RYh8tmTpQG5wHezGUKdeWROpAGBF4lVn/w=="},"filename":"okdb-1.8.3.tgz"}],"evidence_files":[{"tlsh":"a1e3b5406bc0d66d23ca1ffb3637a4e6c00b1b9e75845b9be184fca454a5213f6ee630","path":"bin/okdb.js","sha256":"addb61d779e54d33c1ec41172a5025bc6f767589787ea91ae933c1feab089ccf"},{"tlsh":"3785d8406bc0956c238b5ffa7707b1d6e85b0c1f75484cabe198bc6861e6603fbe9631","path":"okdb.js","sha256":"b4a2bf71c31266a22556da7e2d4a29f3e8c7db815a0f0d5976309bc24b4182dd"},{"path":"public/sections/embeddings/parts/embed-create-panel.ok.js","tlsh":"3e33d821f1f499333497dce86ea99a2e3e5ab640e0180454f76c1bf217cec81e527b79","sha256":"3dbb8b035b0576091ec0aaf925fd0652def0e45d476ca76a0af154e7afd0b05e"},{"path":"public/sections/embeddings/parts/pipeline-create-panel.ok.js","tlsh":"5343eaa6fad348b706a34ed01ff50baf3e687551844948687e6c0be35786c11f813b7a","sha256":"db741005e69ba5f534f4d13343b2ee88a242f53ef40dd5963e60b758b014c597"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}