{"id":"MAL-2026-4495","summary":"Malicious code in banana-stand (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (ab14273a518e66f357d229806e82cb2f4ce211cae4bc5de0f2d15eeab67fb720)\nOn `npm install`, the package's `install` lifecycle hook runs `node index.js`, which loads `lib/core.js`. That module reads `os.userInfo().username`, `os.hostname()`, and the basename of `process.cwd()`, then issues a `dns.resolve4` lookup for `lwbanana.\u003cusername\u003e.\u003chostname\u003e.\u003ccwd\u003e.\u003cunixtime\u003e.oob.sl4x0.xyz`, smuggling host identifiers out-of-band via DNS to an author-controlled domain. The same path also fires on `require('banana-stand')` because `main` points at the same entry. Strings used to construct the exfil (`os`, `dns`, `userInfo`, `hostname`, `cwd`, `resolve4`, and the destination domain `oob.sl4x0.xyz`) are concealed as `String.fromCharCode` byte arrays in `lib/6ad264.js` and `lib/b02e30.js` and decoded at runtime, indicating intentional concealment of the exfiltration channel.\n","modified":"2026-05-26T06:02:10.966121909Z","published":"2026-05-20T13:15:42Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:50:49.406932276Z","id":"IN-MAL-2026-003541","versions":["9.9.11"],"modified_time":"2026-05-20T13:15:43Z","sha256":"6557254afd81880fdee5e96ba7839759a16db9c60dbc25efc39be957f488a9a2","source":"amazon-inspector"},{"import_time":"2026-05-26T05:50:49.298276454Z","id":"IN-MAL-2026-003540","modified_time":"2026-05-20T13:15:42Z","versions":["9.9.11"],"sha256":"ab14273a518e66f357d229806e82cb2f4ce211cae4bc5de0f2d15eeab67fb720","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/banana-stand/v/9.9.11"}],"affected":[{"package":{"name":"banana-stand","ecosystem":"npm","purl":"pkg:npm/banana-stand"},"versions":["9.9.11"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"tlsh":"38014929a393c08f97e096d0361a03d18499c380e7ce80a5fa7c4a87904e7d1cac5a96","path":"lib/core.js","sha256":"397d1435e7291ed6b02b8627033a110124d250a54290b3a8f9f248573fd6a2d4"},{"tlsh":"26e068173313c94fa1c80bf7790050a0aa0d8f58a11dc0dab91c678600af447d0c0272","path":"lib/b02e30.js","sha256":"15afa1966ef07bd0c2f3c79a45e095a96999f6fc852c819de819ae9a55e2ee99"}],"domains":["lwbanana.scan.scandc596b761e5.bananastand.1779282910.oob.sl4x0.xyz"],"package_integrity":[{"hashes":{"sha1":"4c7da9e76a5d521d5074b6371609ac04c08736ea","sha512_sri":"sha512-yNZFhbTvNdir8kMquCAPN0USOCYCA1ZC6DqMoJ4cCX0/fiKrjO+C7UPlInbz00IhkELZXfFLq+CXtL0dIQP+vA=="},"filename":"banana-stand-9.9.11.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/banana-stand/MAL-2026-4495.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}