{"id":"MAL-2026-5564","summary":"Malicious code in @tonsdk/core (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d9a9a70e3d8b322df960cb96b195f74693eb4d2ea284680e4cfb41a33f1848f8)\n@tonsdk/core impersonates the legitimate @ton/core TON blockchain SDK. On `npm install`, scripts/postinstall.js executes automatically and performs two attacker-controlled actions against a hardcoded bare-IP C2 at 213.218.160.189 (ports 8080 and 80) over plaintext HTTP. First, it base64-encodes a JSON fingerprint of the installer host — hostname, username, platform, arch — and sends it as a GET query string to `/s?q=\u003cbase64\u003e`, leaking host identifiers on every install. Second, it fetches a response payload, optionally XOR-decrypts it, and passes the result to eval(), giving the operator arbitrary remote code execution in the installer's Node process. The script also probes for VM/sandbox/analyst tooling (vmtoolsd, vboxservice, wireshark, x64dbg, ida) to suppress execution in researcher environments. The package description and name target developers searching for TON SDK tooling; the repository URL (`aspect-build/tonsdk`) is unrelated to the real TON foundation.\n","modified":"2026-06-11T05:46:33.998928451Z","published":"2026-06-11T05:00:02Z","database_specific":{"malicious-packages-origins":[{"sha256":"d9a9a70e3d8b322df960cb96b195f74693eb4d2ea284680e4cfb41a33f1848f8","import_time":"2026-06-11T05:41:03.945757348Z","modified_time":"2026-06-11T05:00:02Z","versions":["0.9.3"],"source":"amazon-inspector","id":"IN-MAL-2026-005530"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@tonsdk/core/v/0.9.3"}],"affected":[{"package":{"name":"@tonsdk/core","ecosystem":"npm","purl":"pkg:npm/%40tonsdk%2Fcore"},"versions":["0.9.3"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@tonsdk/core/MAL-2026-5564.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-BH0WdyHhZwg69C8Cj9HLVlgWFx6bRmxwE8+rGJpuxvv5xg8aUgM1tnv2C7+o2qv22A4GxydEuc69o/lNyzwLqw==","sha1":"d78e281f1e3dcc36a948641bcbb5e5e2e8abfa69"},"filename":"core-0.9.3.tgz"}],"evidence_files":[{"sha256":"b2144acd6e3e1b58bff7ac4f201248831e65e435283267d35018a92fd02ed59d","path":"scripts/postinstall.js","tlsh":"045145d4b6fa5130526395bc596fd841b27fe503b106d6e8bacc13406f45a68c3f34e9"},{"sha256":"a92005f40f8241f8ab83a14f9640997f9520aec6c34b8808ec6ef049dd0ef126","path":"package.json","tlsh":"d2014935ca105e731ec86a89dc6d0642a562081f8c147c2d33e3413c8f4e2af51fe72e"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}