{"id":"MAL-2026-4428","summary":"Malicious code in @rspack-debug/core (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c05c92aa1796614da12b282390f160fef2a5c63aba9a3257af956c19df341ce5)\nPackage @rspack-debug/core@2.0.4 impersonates the popular @rspack/core bundler. The README, description ('Fast Rust-based bundler for the web with a modernized webpack API'), homepage (rspack.rs), and repository pointer are copied verbatim from the legitimate package. The package.json declares a single runtime dependency using npm's package-aliasing syntax: \"@rspack/binding\": \"npm:@rspack-debug/binding@2.0.4\". This forces every install to substitute the legitimate native binding @rspack/binding with the same-author-controlled sibling @rspack-debug/binding under the impersonating scope. The native binding is loaded by @rspack/core's main module, so any code shipped in @rspack-debug/binding executes when a consumer imports the package or runs the bundler. The combination of (a) a ≤1-edit name impersonation of a top-tier registry package, (b) verbatim cloning of the upstream identity, and (c) a dependency-alias redirect of the native binding to a sibling under the typosquat scope is the canonical delivery vehicle for malicious native code through a typosquat front.\n","modified":"2026-05-27T00:32:05.668261989Z","published":"2026-05-20T12:16:10Z","withdrawn":"2026-05-26T21:41:23Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-20T12:19:31Z","source":"amazon-inspector","sha256":"7d30900b1c9603b37fb438ab67bc3b6991250501d2a2571237fcdfe94e25e46e","import_time":"2026-05-26T05:50:47.575928381Z","versions":["2.0.4"],"id":"IN-MAL-2026-003525"},{"modified_time":"2026-05-20T12:16:10Z","source":"amazon-inspector","versions":["2.0.4"],"import_time":"2026-05-26T05:50:47.47245143Z","sha256":"c05c92aa1796614da12b282390f160fef2a5c63aba9a3257af956c19df341ce5","id":"IN-MAL-2026-003524"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@rspack-debug/core/v/2.0.4"}],"affected":[{"package":{"name":"@rspack-debug/core","ecosystem":"npm","purl":"pkg:npm/%40rspack-debug%2Fcore"},"versions":["2.0.4"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@rspack-debug/core/MAL-2026-4428.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"domains":["34.7.16.104.in-addr.arpa"],"package_integrity":[{"hashes":{"sha512_sri":"sha512-sOm9WZi6dwjrZIedUra4QuIzUX4rA/sRXpHi0zUAuox50jXeoCkaQa16gZPZg9A7YEgNVEN6c+jO4Wx1IHEJ+Q==","sha1":"244c0b6d3664952bea354ed4f85992ae30fb8bac"},"filename":"core-2.0.4.tgz"}],"evidence_files":[{"path":"package.json","tlsh":"6541bb72c9684d630ad820d5a8390253a16908574c89bc0c37ca932c9f4dbdf35fafad","sha256":"0105ed12eb6453927c401616ff884ed09ab83cc6163632af5eacf9a119eb3380"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}