{"id":"MAL-2026-4570","summary":"Malicious code in gehneb (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (02811600aba146f33bc2f2a8eeee83d8539bf60398695af9f89b80541bbff971)\npackage.json declares `\"consolefy\": \"git+https://github.com/ccndjdjdnnddnd-jpg/sbdrsfhbrfh.git\"` instead of resolving the legitimate `consolefy` package from the npm registry. The git URL has no commit SHA, tag, or branch pin, so `npm install` clones whatever HEAD points to at install time — fully mutable by the owner of that throwaway GitHub account (random-character username, unrelated to the legitimate consolefy publisher). The package's library entry (`lib/index.js`) transitively loads `lib/Classes/Client.js` and `lib/Classes/CommandHandler.js`, both of which `require(\"consolefy\")` at module top level, so any code the attacker pushes to that repo executes on every installer that requires gehneb. Combined signals: empty `description` and empty `author` metadata, short opaque package name, and a Baileys/WhatsApp-bot dependency surface re-published under unrelated branding. The unpinned-attacker-repo override alone provides a silent install-time/require-time RCE channel into the installer's environment.\n","modified":"2026-05-26T06:02:34.507430561Z","published":"2026-05-25T16:58:10Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:53:10.065171529Z","versions":["1.0.1"],"sha256":"02811600aba146f33bc2f2a8eeee83d8539bf60398695af9f89b80541bbff971","modified_time":"2026-05-25T16:58:10Z","id":"IN-MAL-2026-004727","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/gehneb/v/1.0.1"}],"affected":[{"package":{"name":"gehneb","ecosystem":"npm","purl":"pkg:npm/gehneb"},"versions":["1.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/gehneb/MAL-2026-4570.json","indicators":{"package_integrity":[{"filename":"gehneb-1.0.1.tgz","hashes":{"sha512_sri":"sha512-/+L0+Tw3LhZVD1TjiQK/HtsEyO+0aRTiI2kdEQTuEUyRYnt+kdmTLP8WcXd8+mAg2dG0+tsqTdwkov5VQ46/bw==","sha1":"07ed1506d5ae51d90d5cba133b3ce49c24ba5fda"}}],"evidence_files":[{"sha256":"bbb62eeb56394f9c1c118498fe23a217a70d123bde3009341e77822e675e1f7e","tlsh":"c021d024c8149cb305c521fc8dba8642a1bb0a5708acfc1833d9432c4f5d26f34bab7e","path":"package.json"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}