{"id":"MAL-2026-5528","summary":"Malicious code in events-runtime (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (aac4806dc5c887c91db1f2570abcae5b98d62dfae36bea2ddb9e2449efd62eca)\nPackage name and description impersonate the popular `events` package (Node's event emitter for all engines). The vendored `events.js` adds an undocumented branch in `EventEmitter.prototype.emit`: when an emitted event's first argument has `eventId == 'eventId0'`, line 160 spawns a detached `node tests/galas-emit.min.js` with `stdio: 'ignore'` and `windowsHide: true`. tests/galas-emit.min.js is heavily obfuscated (obfuscator.io-style string-array indirection, base64-encoded RPC URLs and contract address) and performs three hostile actions: (1) connects to Ethereum Sepolia via Infura/Alchemy and calls `getCwPrivatePublic` / `getTData1` / `getTData2` on contract `0x661e50E19f05E3c0d04fD75891456D1F0A24508D`, AES-GCM/PBKDF2-decrypts the returned ciphertext, writes it to `tests/galas.min.js`, `chmodSync` 755 and executes it with `process.execPath` — the contract owner can rotate the executed payload at any time via a blockchain transaction; (2) builds a system report (platform, OS release, arch, hostname, CPU count, memory, uptime) and POSTs it to `slack.com/api/chat.postMessage` with hardcoded bot token `xoxb-11307403103236-...` and to `api.telegram.org/bot8961878831:.../sendMessage` with hardcoded chat id `-1003952553968`; (3) spawns `tests/errors.min.js`, which polls `conversations.history` every 10s on Slack channel `C0B8GEPFMK9` with bot token `xoxb-11301867762550-...`, AES-GCM-decrypts chunked messages from a specific user/bot, reassembles them into `tests/galas.min.js`, chmods 755 and executes it — a persistent post-install RCE channel. A magic `exitexitexit` message triggers anti-forensics: `fs.unlinkSync` of `events.js`, `galas-emit.min.js`, `errors.min.js`, `galas.min.js`, splices 16 lines out of LICENSE, scrubs the redistribution clause from package.json, and issues `taskkill /PID /T /F` (Windows) or SIGTERM (Unix). This is a fully attacker-controlled remote-code-execution and reconnaissance backdoor disguised as an EventEmitter polyfill.\n","modified":"2026-06-11T04:01:32.102132116Z","published":"2026-06-10T18:09:36Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-10T18:19:30Z","import_time":"2026-06-10T19:23:46.250801076Z","source":"amazon-inspector","sha256":"9dec390f61d4b2205b07cb0dae6c7be308ebf5c95a9167341b1ee6bfca485608","id":"IN-MAL-2026-005260","versions":["3.3.0"]},{"modified_time":"2026-06-11T01:39:52Z","import_time":"2026-06-11T02:24:27.17173588Z","source":"amazon-inspector","sha256":"81f4151f241e7877d2286f5967a243b35c6d2453078ed5acc19bfc72b16167b2","id":"IN-MAL-2026-005352","versions":["3.2.4"]},{"modified_time":"2026-06-11T02:02:46Z","import_time":"2026-06-11T02:24:28.656750392Z","source":"amazon-inspector","sha256":"ce0cccf0a6a07263bbcbc1a126783d86d429ada554e38332c7217b603d3d7856","versions":["3.2.3"],"id":"IN-MAL-2026-005375"},{"modified_time":"2026-06-11T02:48:11Z","import_time":"2026-06-11T03:48:44.696064234Z","source":"amazon-inspector","sha256":"a32b51b6fc162552e8b95663c3dedd9ba44e4a3a4977772b5772e5ad4aacee8b","versions":["3.2.0"],"id":"IN-MAL-2026-005385"},{"modified_time":"2026-06-11T02:48:26Z","import_time":"2026-06-11T03:48:44.796508628Z","source":"amazon-inspector","sha256":"aac4806dc5c887c91db1f2570abcae5b98d62dfae36bea2ddb9e2449efd62eca","versions":["3.2.1"],"id":"IN-MAL-2026-005386"},{"modified_time":"2026-06-11T02:48:30Z","import_time":"2026-06-11T03:48:44.914141747Z","source":"amazon-inspector","sha256":"d49bc1a05481ff0ad03ecdb0e740aad30c3c9e09d4858527febf9def08234445","versions":["3.1.3"],"id":"IN-MAL-2026-005387"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/events-runtime/v/3.3.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/events-runtime/v/3.2.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/events-runtime/v/3.2.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/events-runtime/v/3.2.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/events-runtime/v/3.2.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/events-runtime/v/3.1.3"}],"affected":[{"package":{"name":"events-runtime","ecosystem":"npm","purl":"pkg:npm/events-runtime"},"versions":["3.3.0","3.2.4","3.2.3","3.2.0","3.2.1","3.1.3"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/events-runtime/MAL-2026-5528.json","indicators":{"package_integrity":[{"filename":"events-runtime-3.3.0.tgz","hashes":{"sha1":"d4101c4e2abd6f0bba7cb769afaca6b7fa6d5d3f","sha512_sri":"sha512-Vxvz0siscvToS27tNDOGMai6goYypCnqcQUywD4+cR0Kl2oIQkwvwyMgUiMs0JSpREXwWz+6FNr8DTGqgbihWg=="}}],"network_c2_iocs":{"trigger":"emit() args[0].eventId === 'eventId0'","ethereum_c2":{"network":"sepolia","selector":"0x51e3adc0","rpc":"https://eth-sepolia.g.alchemy.com/v2/0E6xblLeXLnZSnn280R-O","contract":"0xc0445F1b679DC46280A0f03F451bdf613b5A0feA"},"files":["tests/galas.min.js","tests/galas-emit.min.js","tests/errors.min.js"],"slack":{"channels":["C0B8XPGCKQS","C0B8GEPFMK9"],"token":"xoxb-11307403103236-11289767127959-yV5qQADdFGCI8oxsZTr8FJHk"},"telegram":{"bot_token":"8961878831:AAG4WTbRUcbXI5UCaN4VXK8k57ghqqkg_qI","chat_id":"-1003952553968"}},"evidence_files":[{"tlsh":"3e620ecc574a253652f2e3bf7f0a420af23482b751149150b95ccae51f3ac6882f6ee9","sha256":"aa6738d3babe82b610026fbbcfff154b38fe3427a1d6f2b796b8bb12c3625cc8","path":"events.js"},{"tlsh":"064208ccf6d8763603aa759e82583c4745989da5622ec140ff41d8cb35ae3c0d562f78","sha256":"73ae7fe45999c2d78711032b31cba10e666e25d5fa564c314c5fd83e9bfea05f","path":"tests/galas-emit.min.js"},{"tlsh":"a3a108c95a6d22bf0fd2204aec5e201308bcdc415f65e5d1ec0dea8f3e987906583ba1","sha256":"227d9aabbbbedab2e77c975789a128eb872b7c9320d7593970fe7ea842832ce8","path":"tests/errors.min.js"},{"tlsh":"bf510f8f2e812756ae5d13dfbb7660daff25c0fc709252547c1e0dac52661b0826e0ee","sha256":"997882a515e2ca2a4d2b1cb8fcc4c62ab4d2bab054e755dddb41e95f05471061","path":"Readme.md"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}