{"id":"MAL-2026-4496","summary":"Malicious code in bandkit (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (687dcebaf30461a2325de226851b84abfb6db6359a12c9392ece9c5ff02a620d)\nbandkit ships a React component (BandPanel) that, when rendered without an explicit strategyWalletAddress prop — the configuration shown in the package's own README — deploys a BandStrategy.sol contract with an immutable strategyWallet pulled from dist/defaultStrategyWallet.js. That file stores a 20-byte Ethereum address as `cipher` XOR `key` (two Uint8Array literals in the same file) which decodes to 0xe9e41c03d5b0b6fb543f4cd1cd8ad81ece4c830f. dist/useStrategyContractDeployment.js wires this in via `args: [options.strategyWalletAddress?? getDefaultStrategyWallet()]`. When end users of the installer's UI click 'Start Bot', BandStrategy.activateStrategyEngine() executes `(bool ok, ) = strategyWallet.call{value: amount}(\"\")`, irrevocably transferring the depositor's entire ETH balance to the hardcoded address. The defaultStrategyWallet.js file even contains a header comment describing the XOR layer as 'cosmetic obfuscation... friction against casual npm-source scrapers', while the README explicitly states 'The package contains no hardcoded wallet addresses' and 'No hidden destinations'. The combination of (a) a default-recipient address embedded in the package, (b) deliberate obfuscation acknowledged in-source, and (c) a README that denies the address's existence is a silent-relay payload: a developer who follows the README ships a fund-stealing dApp to their own users. Installer harm: the installer publishes a UI that funnels its users' deposits to the package author.\n","modified":"2026-06-12T20:01:47.333957050Z","published":"2026-05-25T23:10:12Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.7"],"id":"IN-MAL-2026-004795","source":"amazon-inspector","import_time":"2026-05-26T05:53:17.712082388Z","modified_time":"2026-05-25T23:10:12Z","sha256":"328d601aed275e0122f2d0be8b7c5b76b920aa0af6aa57e7bd64ab540a0c0db3"},{"versions":["1.0.9"],"id":"IN-MAL-2026-004800","source":"amazon-inspector","import_time":"2026-05-26T05:53:18.284819359Z","modified_time":"2026-05-25T23:33:05Z","sha256":"f17eed05248e00e40ac995b4a723da03f1e854a1445b2d99c6a52507511d3795"},{"versions":["1.0.9"],"id":"IN-MAL-2026-004799","source":"amazon-inspector","import_time":"2026-05-26T05:53:18.145850241Z","modified_time":"2026-05-25T23:33:05Z","sha256":"6d7546959efc9cf15944286e0fe5cce44965113def72bea55866d8a130937f89"},{"versions":["1.0.7"],"id":"IN-MAL-2026-004794","source":"amazon-inspector","import_time":"2026-05-26T05:53:17.610898565Z","modified_time":"2026-05-25T23:10:12Z","sha256":"f1341a067075e690ff81c24889d925809a5c29a1a402ebfadaaf8b5f36331c9f"},{"versions":["1.0.10"],"id":"IN-MAL-2026-004902","source":"amazon-inspector","import_time":"2026-05-26T13:32:46.375461088Z","modified_time":"2026-05-26T11:26:08Z","sha256":"c2586b0e7114265fe8e85fee87db4b264f1dce9a574916b333af41870369e44a"},{"versions":["1.0.10"],"id":"IN-MAL-2026-004903","source":"amazon-inspector","import_time":"2026-05-26T13:32:46.433733788Z","modified_time":"2026-05-26T11:26:10Z","sha256":"8d03553469ab55441dd89101f56b8872adee9194c6390b76e77f58b662de46dc"},{"versions":["1.0.11"],"id":"IN-MAL-2026-004918","source":"amazon-inspector","import_time":"2026-05-26T15:07:42.690325968Z","modified_time":"2026-05-26T14:32:19Z","sha256":"018a4cd7e1cf6b632a8d58acdbfc15f48dffb0428a71638b2d040152260e13cf"},{"sha256":"c12036b3e8a5f609179a8f9a6109178d5cd21a40493140d54324c5e499912c07","id":"IN-MAL-2026-004917","source":"amazon-inspector","import_time":"2026-05-26T15:07:42.5614868Z","modified_time":"2026-05-26T14:32:15Z","versions":["1.0.11"]},{"versions":["1.0.16"],"id":"IN-MAL-2026-006205","source":"amazon-inspector","import_time":"2026-06-12T19:44:19.766645641Z","modified_time":"2026-06-12T19:11:15Z","sha256":"687dcebaf30461a2325de226851b84abfb6db6359a12c9392ece9c5ff02a620d"},{"sha256":"ea0489597e99751b2d16ab93eb3f71a05c62b282f723c27aa2043808f7b99464","id":"IN-MAL-2026-006204","source":"amazon-inspector","import_time":"2026-06-12T19:44:19.665072182Z","modified_time":"2026-06-12T19:11:13Z","versions":["1.0.14"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/bandkit/v/1.0.9"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/bandkit/v/1.0.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/bandkit/v/1.0.10"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/bandkit/v/1.0.11"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/bandkit/v/1.0.16"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/bandkit/v/1.0.14"}],"affected":[{"package":{"name":"bandkit","ecosystem":"npm","purl":"pkg:npm/bandkit"},"versions":["1.0.7","1.0.9","1.0.10","1.0.11","1.0.16","1.0.14"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bandkit/MAL-2026-4496.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-kksnEC+wcyf9moju5KAQhcIZdvwy0Z0xR9dV0uDS4EW3ihlAePKJ8iFsG3B7yzHp0HvR3qHDLIk6a5eqQwvHtQ==","sha1":"42528be918cdb17e13b6f9a41e609d90ed36399e"},"filename":"bandkit-1.0.9.tgz"}],"domains":["pkg.pr.new"],"evidence_files":[{"sha256":"666411bb4696a85222f502e377c61ab6fe5d845be70cc092cdcf5df87de98b3d","path":"dist/useStrategyContractDeployment.js","tlsh":"a5222c94b2f3530a4ca36479064fd1147d227e07710dc9513bbc9b229fd84a5caebbe9"},{"sha256":"d1620d87aff5eb6b9e44d319033008454d3e9bbd70d8cbd6061bf96dfd970884","path":"dist/defaultStrategyWallet.js","tlsh":"9c311f0a3f905af2008bc1ab468d41e3ea8a28d3b61958dcb05e45149f6183dc5feed7"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com","inspector-research@amazon.com"],"type":"FINDER"}]}