{"id":"MAL-2026-4697","summary":"Malicious code in twokey (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (20c6d8e22fd03dd5ff39bac81bcbffd05db3b2a08dcf9768332094ffcca4eebd)\nThe package's postinstall hook unconditionally executes `node bin/twokey.js --desktop --enable-autostart`, which performs three install-time actions without prompting the installer: (1) fetches `https://api.github.com/repos/meinzeug/twokey/releases/latest`, downloads the resulting AppImage to `~/.local/share/twokey/bin/twokey-ai.AppImage`, chmods it 0755, and spawns it detached with stdio ignored — the URL is the mutable 'latest' endpoint, not pinned to the npm package version, and no hash or signature verification is performed; (2) writes `~/.config/systemd/user/twokey.service` and runs `systemctl --user daemon-reload && systemctl --user enable twokey.service` so the auto-downloaded AppImage runs on every boot; (3) when invoked via sudo, re-spawns itself as the original user via `sudo -u $SUDO_USER -H node bin/twokey.js --desktop --enable-autostart` with `XDG_RUNTIME_DIR` and `DBUS_SESSION_BUS_ADDRESS` injected, extending the install footprint into the desktop user's session. The destination repo matches the publisher and the binary is consistent with the package's stated Tauri-desktop purpose, but the combination of mutable-URL fetch + no integrity check + silent execution + persistence install means the installer receives, executes, and persistently autostarts whatever bytes the `releases/latest` pointer resolves to at install time — fully decoupled from the npm version they thought they vetted.\n","modified":"2026-05-26T06:02:59.533191407Z","published":"2026-05-24T08:52:15Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","modified_time":"2026-05-24T09:38:06Z","import_time":"2026-05-26T05:52:41.126281306Z","id":"IN-MAL-2026-004481","versions":["1.0.11"],"sha256":"20c6d8e22fd03dd5ff39bac81bcbffd05db3b2a08dcf9768332094ffcca4eebd"},{"versions":["1.0.8"],"modified_time":"2026-05-24T09:21:05Z","import_time":"2026-05-26T05:52:40.821728169Z","source":"amazon-inspector","sha256":"3e99c99c6d68f67dc08105da452c97c94c708001192919dea62ce0e4a3a26559","id":"IN-MAL-2026-004478"},{"source":"amazon-inspector","modified_time":"2026-05-24T08:52:15Z","import_time":"2026-05-26T05:52:40.044021753Z","id":"IN-MAL-2026-004472","versions":["1.0.5"],"sha256":"5314d8f5cb1c73de1c6efffd1b055957a8f2dc78b1ea828a1c841eedd78a2a82"},{"source":"amazon-inspector","modified_time":"2026-05-24T09:38:06Z","import_time":"2026-05-26T05:52:41.233142408Z","id":"IN-MAL-2026-004482","versions":["1.0.11"],"sha256":"891e263399578e7ba6449fbd625f70eb93a3a6a4aa4d5cf05ad8db29bfa2292a"},{"source":"amazon-inspector","modified_time":"2026-05-24T09:32:54Z","import_time":"2026-05-26T05:52:40.91560592Z","sha256":"8eeb0ae7f4d322804acf874ab171cb8eb3c46327808556a80efcacafd61e343e","id":"IN-MAL-2026-004479","versions":["1.0.10"]},{"source":"amazon-inspector","modified_time":"2026-05-24T09:32:55Z","import_time":"2026-05-26T05:52:41.031674581Z","id":"IN-MAL-2026-004480","versions":["1.0.10"],"sha256":"b517a8d7e82e030754a6f3e8796c273f94948d0f787427f41c10f06ac5f61d0c"},{"id":"IN-MAL-2026-004476","modified_time":"2026-05-24T09:17:58Z","import_time":"2026-05-26T05:52:40.589884455Z","versions":["1.0.7"],"source":"amazon-inspector","sha256":"40cc2b8b94b9497167993e2354800704b2d225bee157273eff906252edb889d4"},{"source":"amazon-inspector","modified_time":"2026-05-24T09:17:57Z","import_time":"2026-05-26T05:52:40.446342943Z","id":"IN-MAL-2026-004475","versions":["1.0.7"],"sha256":"884f25147369c250f3aae797c9d71a5a61d877dff3a23ad1fbf21ae8de0054c5"},{"source":"amazon-inspector","modified_time":"2026-05-24T09:21:04Z","import_time":"2026-05-26T05:52:40.695000228Z","sha256":"9d008afe51df3700da0e0a4c85d7c8e43aa4404076d4f4ef05c1956c220938aa","id":"IN-MAL-2026-004477","versions":["1.0.8"]},{"source":"amazon-inspector","modified_time":"2026-05-24T08:52:42Z","import_time":"2026-05-26T05:52:40.181561725Z","id":"IN-MAL-2026-004473","versions":["1.0.5"],"sha256":"b186d392146b1d8ce3460080cc7889794fc0b9535f7af8c601b69d2a6c5009db"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/twokey/v/1.0.11"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/twokey/v/1.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/twokey/v/1.0.10"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/twokey/v/1.0.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/twokey/v/1.0.8"}],"affected":[{"package":{"name":"twokey","ecosystem":"npm","purl":"pkg:npm/twokey"},"versions":["1.0.11","1.0.8","1.0.5","1.0.10","1.0.7"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/twokey/MAL-2026-4697.json","indicators":{"evidence_files":[{"sha256":"b88eba0a4eff557f8a2561c98def8e742b5b578af39d7a8f893472a05f83beb2","tlsh":"a941502dd0e7042403f092ba600bd82a2df940022756d9a0b6fc4a75bfc913ca1f25de","path":"bin/postinstall.js"},{"sha256":"a43851b12acde1d243c4e34bf53095c6ac75f24c231b37bf6348bca4ae366f41","tlsh":"0932a30a99f7253101b320685a6fa4037158db032a98de51b7fc4250bfd573d8abbbed","path":"bin/twokey.js"}],"package_integrity":[{"hashes":{"sha1":"1ba98c61dd4c9af294fb4ce99e9611e46d1f0291","sha512_sri":"sha512-NXX0zygD8A4HtoQkEqVielg7OHjli3MpJFU4oG424u2WfnoZpTdwBqr1wfcAtTjECrDYHp1dFUVhetP1As7kbA=="},"filename":"twokey-1.0.11.tgz"}],"domains":["api.github.com"]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}