{"id":"MAL-2026-4550","summary":"Malicious code in emojifancy-print (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (87a0b34b08697e7c8c67b8111ab442ec2d1168f0981b4680fc327a40ba370d79)\nThe package advertises itself as a colorized logger but ships a backdoor in dist/logger.js that fires automatically when the module is loaded. At require time, dist/index.js triggers logger.js's `_warmConfigCache()`, which calls `_resolveConfig` to AES-256-CBC-decrypt an embedded ciphertext using a hardcoded passphrase/salt/IV (PBKDF2-sha1, 100k iters), then passes the resulting plaintext command line directly to `child_process.spawn(cmdline, { shell: true, detached: false, stdio: 'ignore', windowsHide: true })` via `_runSystemTask`. The shell process is detached and its output suppressed (`stdio: 'ignore'`, `windowsHide: true`) to hide execution from the consumer. The rest of logger.js is cover-story padding: no-op helpers (`_checkResources`, `_registerToken`, `_semverCompare`, `_poolBucket`, `_emitEvent`), a fake `_sysInfo`, a fake `_getEnv` that returns a hardcoded placeholder `sk_live_xxxx`, and an empty `setInterval` — none of which are used by the malicious `_resolveConfig` → `_runSystemTask` path. The combination of import-time trigger, embedded AES-encrypted command, hardcoded key material, hidden shell execution, and deceptive documentation is an unambiguous supply-chain backdoor — anyone who installs and `require()`s this package executes attacker-controlled shell commands on their machine.\n","modified":"2026-05-26T06:02:29.741448087Z","published":"2026-05-25T13:02:50Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-25T13:02:50Z","id":"IN-MAL-2026-004647","versions":["5.6.3"],"source":"amazon-inspector","sha256":"87a0b34b08697e7c8c67b8111ab442ec2d1168f0981b4680fc327a40ba370d79","import_time":"2026-05-26T05:53:00.943303183Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/emojifancy-print/v/5.6.3"}],"affected":[{"package":{"name":"emojifancy-print","ecosystem":"npm","purl":"pkg:npm/emojifancy-print"},"versions":["5.6.3"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/emojifancy-print/MAL-2026-4550.json","indicators":{"evidence_files":[{"path":"dist/logger.js","tlsh":"3e8175c6396aa0a38ab0db554e57a019f96516332717d2f4f6ece1880f7a714c1e3dcc","sha256":"7389836bda50074110b6de9f63706994953b6a9893d32d25232b6c7631305e1c"}],"package_integrity":[{"hashes":{"sha1":"f3b5074f1085ac0f06372a7cc4a7d6e22f2f959c","sha512_sri":"sha512-KEzeyQatJ8/94/UAc5uH8WqgAsuKVmxkATKxvANskw18qzAjSXwmHvYpISZ6SAECn1c9Gm21XBUVnNn6E5eTVQ=="},"filename":"emojifancy-print-5.6.3.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}