{"id":"MAL-2026-4616","summary":"Malicious code in muaddib-scanner (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c8eea5d3ed390c4c82b5bfa89ac220f1d424fcaebe70fe71bbbe3bce66f0f48f)\npackage.json declares `\"loadash\": \"^1.0.0\"` as a runtime dependency. `loadash` is a well-known typosquat of `lodash` and is never required or imported anywhere in this package's source — the dependency is unused by the scanner itself. Every installer of this package pulls `loadash@^1.0.0` into their node_modules transitively, executing whatever code that namesquat ships. The remaining static signals on this package (curl/ping/POST/child_process/https patterns across `src/scanner/`, `src/ioc/`, `src/rules/`, `src/ml/`, `src/sandbox/`) are consistent with the package's stated purpose (a supply-chain security scanner that inspects other packages' lifecycle scripts, fetches package metadata from `registry.npmjs.org`, and analyzes IOC patterns like `curl http://evil.com` as data); literal strings like `curl http://evil.com` and `$(whoami)` appear as detection rule examples, not as executed commands. The block is on the namespace-abuse vector — a security tool has no legitimate reason to ship an unused typosquat dependency, and installers should not silently acquire it.\n","modified":"2026-05-26T06:02:43.020060980Z","published":"2026-05-25T10:36:48Z","database_specific":{"malicious-packages-origins":[{"versions":["2.11.41"],"sha256":"c8eea5d3ed390c4c82b5bfa89ac220f1d424fcaebe70fe71bbbe3bce66f0f48f","import_time":"2026-05-26T05:52:58.134368552Z","modified_time":"2026-05-25T10:36:48Z","id":"IN-MAL-2026-004623","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/muaddib-scanner/v/2.11.41"}],"affected":[{"package":{"name":"muaddib-scanner","ecosystem":"npm","purl":"pkg:npm/muaddib-scanner"},"versions":["2.11.41"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"sha256":"d88d58a1b28815d6f5b60ec4fe076188158995c67d883e78461333b2ba1e8fda","path":"package.json","tlsh":"6e31eca1de351d7319c85eda68790143a175990f9d98fc0eb3e9501c4f8d06f00fe5ae"}],"package_integrity":[{"hashes":{"sha1":"b8978075f3ffe1e173606387552041b9f0714ab8","sha512_sri":"sha512-YMs17bAblLr+J90oSRTjC9W3wPvZUMo4VszX+xipOeNxH7tQ66hOkKLgVtU0Nd9f9LZFHisduRqknh1GXKi7Nw=="},"filename":"muaddib-scanner-2.11.41.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/muaddib-scanner/MAL-2026-4616.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}