{"id":"MAL-2026-5534","summary":"Malicious code in @thomlecter1122/lab-helper-test (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9448c8cb290ff20cf707537035a6c383a4506b452c3ddc0e4c56bc398e02dbc7)\nrouter_init.js line 4 contains the canonical obfuscated-payload-execution pattern: `eval(Buffer.from(\u003cbase64-blob\u003e, 'base64').toString(...))`. This decodes a hidden bytes blob and executes it as JavaScript at the moment the file is loaded, allowing arbitrary author-supplied code to run on the installer's machine without any visible source. There is no legitimate reason for a package described as a 'lab helper' to ship a base64-encoded eval'd payload in a file named router_init.js, and the obfuscation is specifically designed to defeat source review. Any code path that requires this module — including normal application startup or transitive imports — will execute the hidden payload.\n","modified":"2026-06-11T00:16:30.701725450Z","published":"2026-06-10T23:35:46Z","database_specific":{"malicious-packages-origins":[{"sha256":"650b9b18b0bc5101d5d948edf6bb841af88e20509a061dbbfe3fa21a8658b819","modified_time":"2026-06-10T23:35:46Z","import_time":"2026-06-11T00:00:58.506202458Z","id":"IN-MAL-2026-005322","versions":["0.0.16"],"source":"amazon-inspector"},{"sha256":"9448c8cb290ff20cf707537035a6c383a4506b452c3ddc0e4c56bc398e02dbc7","id":"IN-MAL-2026-005324","import_time":"2026-06-11T00:00:58.699196382Z","modified_time":"2026-06-10T23:36:46Z","versions":["0.0.11"],"source":"amazon-inspector"},{"sha256":"c15cab8e8dc86301754623991e2ae38130feb1a7b5d26e7a204ac2fbd918a166","id":"IN-MAL-2026-005325","import_time":"2026-06-11T00:00:58.797247524Z","modified_time":"2026-06-10T23:36:56Z","versions":["0.0.15"],"source":"amazon-inspector"},{"sha256":"cef9ef58b6705aee11294b49f3e944e60b4047973a98378abc2f37e3dacd627b","modified_time":"2026-06-10T23:36:37Z","import_time":"2026-06-11T00:00:58.593243686Z","id":"IN-MAL-2026-005323","versions":["0.0.2"],"source":"amazon-inspector"},{"sha256":"e12350df6e9a9d5a75f3796a6ebe9c08156ada9cbfd29acd480bf78fa51e61b9","modified_time":"2026-06-10T23:37:03Z","import_time":"2026-06-11T00:00:58.956948473Z","id":"IN-MAL-2026-005326","versions":["0.0.5"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@thomlecter1122/lab-helper-test/v/0.0.16"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@thomlecter1122/lab-helper-test/v/0.0.11"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@thomlecter1122/lab-helper-test/v/0.0.15"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@thomlecter1122/lab-helper-test/v/0.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@thomlecter1122/lab-helper-test/v/0.0.5"}],"affected":[{"package":{"name":"@thomlecter1122/lab-helper-test","ecosystem":"npm","purl":"pkg:npm/%40thomlecter1122%2Flab-helper-test"},"versions":["0.0.16","0.0.11","0.0.15","0.0.2","0.0.5"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@thomlecter1122/lab-helper-test/MAL-2026-5534.json","indicators":{"evidence_files":[{"sha256":"3ed6e162a46f00edce3bcaf365b5a9ac82d4c9e9c5a4c8efaa9622e68b1cafe7","path":"router_init.js","tlsh":"7201ef6ccf217988190054cb38eba92a846b03d4f4a468e54aed1ecb8675b5764fb8c8"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-Avp3BR3qRNDjs+0GAO/nizPNvTvuY1JzD9gxGJ7JBprvx6vPaD+0bUSajv6JDQNCLchRgnkZmvk7DjU+mxd2Yg==","sha1":"9e35d4d7f0a16fe5ce57e81d1bd9a02918b9af5b"},"filename":"lab-helper-test-0.0.16.tgz"}]},"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}