{"id":"MAL-2026-4401","summary":"Malicious code in @kruzer/lib-ui (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c1bb1f66615de2b0b161721218d2bff4bb0e7100b5cb28b764fcc2e6f1ee671f)\nThe published tarball's package.json contains a hardcoded npm registry auth token embedded in the `build:publish` script: `npm publish --tag alpha --//registry.npmjs.org/:_authToken=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`. The token is delivered to every installer of this package and grants publish privileges to the author's @kruzer/* npm scope. Anyone who installs or inspects this package can use the token to publish arbitrary (potentially malicious) versions of any package under @kruzer, which would then be pulled into all downstream installers of those packages. This is credential distribution to a third-party system (npm registry), not merely author self-harm — the blast radius extends to every downstream consumer of the @kruzer scope.\n","modified":"2026-05-27T00:31:56.193041379Z","published":"2026-05-21T00:15:29Z","withdrawn":"2026-05-26T21:41:23Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-003659","versions":["0.0.0-alpha.497"],"modified_time":"2026-05-21T00:30:28Z","source":"amazon-inspector","import_time":"2026-05-26T05:51:03.598105177Z","sha256":"61e35bbeaf5b8e77f70d8554098ee0ec46a5d1ba7a2315f298a21406db78335f"},{"modified_time":"2026-05-21T00:15:29Z","import_time":"2026-05-26T05:51:03.50062953Z","id":"IN-MAL-2026-003658","source":"amazon-inspector","versions":["0.0.0-alpha.491"],"sha256":"c1bb1f66615de2b0b161721218d2bff4bb0e7100b5cb28b764fcc2e6f1ee671f"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@kruzer/lib-ui/v/0.0.0-alpha.497"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@kruzer/lib-ui/v/0.0.0-alpha.491"}],"affected":[{"package":{"name":"@kruzer/lib-ui","ecosystem":"npm","purl":"pkg:npm/%40kruzer%2Flib-ui"},"versions":["0.0.0-alpha.497","0.0.0-alpha.491"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@kruzer/lib-ui/MAL-2026-4401.json","indicators":{"evidence_files":[{"tlsh":"eea1ff18ce449de36dd206ad95b91642685c900f4e6ab08c3366c11ccfad7ef3236e9d","path":"package.json","sha256":"742cb22737d628a2050ce613a1a44c6b6a041ca7386fb4c6d6c9adca2a36a973"}],"package_integrity":[{"hashes":{"sha1":"b694101489b6f58a3d6176f3f0e7ddc7e58c716f","sha512_sri":"sha512-hHoliVEM5QWao2z6EfgFku6pnwc+L9tTaLgnLPFLfP9c/7vqxXwWU6f5B5VjAnjdn/DXLLbidIUN+mLnaEN1TQ=="},"filename":"lib-ui-0.0.0-alpha.497.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}