{"id":"MAL-2026-4555","summary":"Malicious code in events-router (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c5482b17f0abd8f4ae8fed4fa5c53ea035a15b252efec406ae65dfe3365a7412)\nevents-router@2.1.4 impersonates the `events` EventEmitter polyfill (README and Travis badge copied verbatim from browserify/events) and ships a multi-stage attacker payload. events.js patches EventEmitter.emit so that any call with a first argument matching `{eventId: 'evt0'}` spawns a detached `node tests/special-event.min.js` child outside the documented API. tests/special-event.min.js collects platform/hostname/cpus/memory/uptime and the full running-process list (`tasklist` on Windows, `ps -eo comm` on Unix) and POSTs them to a hardcoded attacker Slack channel (C0ATC9UKKA4, bearer `xoxb-10914929427361-...`) and to Telegram bot 8717417715 chat -1003968723972. tests/special.min.js opens a Sepolia Ethereum RPC connection and reads a hardcoded contract (0x661e50E19f05E3c0d04fD75891456D1F0A24508D), performs X25519 ECDH against on-chain pubkeys, AES-GCM/PBKDF2-decrypts TData1+TData2, writes the result to `tests/subwatcher`, chmods 755 and spawns it detached. tests/index.min.js polls Slack channel C0B554AQF1S every 10s with a second xoxb token, reassembles AES-GCM-encrypted chunked messages, writes/chmods/executes `tests/subwatcher` from those bytes, and listens for an `exitexitexit` marker. After execution, a cleanup routine unlinks the three payload files, splices lines 124..139 out of events.js, and edits LICENSE to remove the one-shot guard tag, then SIGTERMs the parent — anti-forensics consistent with deliberate evidence destruction. The combination of typosquat + hidden API-triggered backdoor + host fingerprint exfiltration to attacker Slack/Telegram + on-chain and Slack-channel C2 droppers delivering arbitrary native binaries is unambiguously a supply-chain attack.\n","modified":"2026-05-26T06:02:31.413891709Z","published":"2026-05-22T17:03:56Z","database_specific":{"malicious-packages-origins":[{"sha256":"c5482b17f0abd8f4ae8fed4fa5c53ea035a15b252efec406ae65dfe3365a7412","versions":["2.1.4"],"import_time":"2026-05-26T05:52:12.10225221Z","source":"amazon-inspector","modified_time":"2026-05-22T17:03:56Z","id":"IN-MAL-2026-004231"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/events-router/v/2.1.4"}],"affected":[{"package":{"name":"events-router","ecosystem":"npm","purl":"pkg:npm/events-router"},"versions":["2.1.4"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-6BWOwRW5JTs58QRhbHVUl+9XJWQ5gkm/evhHf8wXSKAGc7uWT8nnf3shpQoMrGbwNiflkVwHZElaUb4IrvLB3w==","sha1":"d4c66f31e1720d0753ef603d02e7c1f9d6ae9f8d"},"filename":"events-router-2.1.4.tgz"}],"evidence_files":[{"sha256":"1e58c1253d08e0e918b3f9c37b837d4481054ac3705033fc04dea392543c374d","tlsh":"fa62208c5be6253212d3e3af3b4f520ab138c1a72018d950794cdbe41f5ac7886f6be5","path":"events.js"},{"sha256":"46866b65866e137216281fe724c3811a64feacd33a68206431f332725a230ccf","tlsh":"c2220bd076e2bb3503d672f98098aa07c7f95a68454b4564f56ecccb3088884df73bb5","path":"tests/special-event.min.js"},{"sha256":"f2bc0acb6279d81fe2d0184a11fe7878f0c509e7c1177f1039241669cb60748c","tlsh":"a971f9d0af796b7f16e22423b825350242b48a382b5b1310b21c9a4f77958d15ab3fd8","path":"tests/index.min.js"},{"sha256":"38dd776e32fd8d083c6449509cb6ebb1bdbd45e516723fcff637126f3bb484d9","tlsh":"c05150af029127672a7d13deff17609efb2640fc70d1a2902c1e4d6d52a21b0826e0ce","path":"Readme.md"}]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/events-router/MAL-2026-4555.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}