{"id":"MAL-2026-4489","summary":"Malicious code in auth0-templates-scripts (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1bc0f40b778be080e2a14dd0097ab772565cc570f5fd471f10e883f259be2db6)\nPackage name 'auth0-templates-scripts' impersonates the Auth0 (Okta) brand without affiliation. The author field is the placeholder 'OpenSource Contributor'. The main entry (index.js lines 2-6) silently `require()`s a co-named dependency `auth0-templates-scripts-utils` (^1.0.5) inside a try/catch that swallows all errors, then prints an 'integration framework initialized' message. This is a loader-shim pattern: the visible package is nearly empty while the auto-installed sibling — which is pulled into the installer's dependency tree on `npm install` and loaded on every `require('auth0-templates-scripts')` — carries the actual code, hidden from inspection of this tarball. The combination of brand-name impersonation, placeholder author metadata, and a silent error-swallowing shim that delegates execution to a co-named transitive is the canonical namespace-abuse dropper shape.\n","modified":"2026-05-26T06:02:14.564930911Z","published":"2026-05-21T05:44:38Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-003756","import_time":"2026-05-26T05:51:15.228486767Z","sha256":"1bc0f40b778be080e2a14dd0097ab772565cc570f5fd471f10e883f259be2db6","modified_time":"2026-05-21T06:15:44Z","source":"amazon-inspector","versions":["80.0.4"]},{"id":"IN-MAL-2026-003749","import_time":"2026-05-26T05:51:14.487478174Z","sha256":"83d0e8b6d3b7847b1409fb341e749cfd75fe4b0445e0f11a5042817dde29287b","modified_time":"2026-05-21T05:45:23Z","source":"amazon-inspector","versions":["80.0.1"]},{"id":"IN-MAL-2026-003757","import_time":"2026-05-26T05:51:15.335157703Z","sha256":"9ae04c43a548d234c87b09405f4c7b012454f5352b1351318d1a8849e3cad8c0","modified_time":"2026-05-21T06:17:54Z","source":"amazon-inspector","versions":["80.0.4"]},{"id":"IN-MAL-2026-003748","import_time":"2026-05-26T05:51:14.38973346Z","sha256":"be512846c47dcba2066ef022d0ffce73f2b74b9ad04268041f438ec920cc57b4","modified_time":"2026-05-21T05:44:38Z","source":"amazon-inspector","versions":["80.0.1"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/auth0-templates-scripts/v/80.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/auth0-templates-scripts/v/80.0.1"}],"affected":[{"package":{"name":"auth0-templates-scripts","ecosystem":"npm","purl":"pkg:npm/auth0-templates-scripts"},"versions":["80.0.4","80.0.1"],"database_specific":{"indicators":{"domains":["db.local","lan","google.internal","corp.local","vault.internal","internal.jira.local","kubernetes.default","gitlab.internal","jenkins.local","istio-ingressgateway.istio-system.svc.cluster.local","kubernetes.default.svc.cluster.local","ec2.internal","active-directory.local","redis.local","mongodb.internal","home","internal","intranet.local","gitlab.local","azure.internal","consul.service.consul","kubernetes.default.svc","redis.internal","postgres.local","rancher.internal","compute.internal","jenkins.internal"],"evidence_files":[{"sha256":"4caa2d5760dfed56f3ab0c9bdfd636d2ee2e88d71aa5f0124b02d252a30dd0c0","path":"index.js","tlsh":"76d0a7854da6e137433406a2d7248b10aae1d9750a539451349891762394cd0464ada8"}],"package_integrity":[{"filename":"auth0-templates-scripts-80.0.4.tgz","hashes":{"sha512_sri":"sha512-zGwNND/xYrko1UgzGzt6tSVQPjx9Q5Sk9I3t6Z7wbgt6GmRETY1xiQfCHDzeaNn64puF5FMOs+Pi70P+R+PtFg==","sha1":"ebc11b5dde0c90216c22927d6e7605d9487fffb6"}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/auth0-templates-scripts/MAL-2026-4489.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}