{"id":"MAL-2026-5569","summary":"Malicious code in js-crypto-promise (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a9d677e45bee46911d04564e9260f4b569119a4ca0a13a58bcd43760359fbb4f)\nThe package's `prepinstall.js` script base64-decodes a hidden URL (stored in a constant misleadingly named `HASH_KEY` decoding to https://jsonkeeper.com/b/DWNFF, an anonymous paste service), fetches the JSON body via axios, reads the `.cache` field, and pipes the contents into a detached `node` child process via stdin: `const child = spawn('node', [], { detached: true, stdio: ['pipe', 'ignore', 'ignore'] }); child.stdin.write(k1);`. This dropper fires automatically on `npm install` via `scripts.postinstall`. To defeat the `--ignore-scripts` mitigation, `index.js` also wraps a dynamic `import('./prepinstall.js')` inside a top-level IIFE, so any consumer that `require('js-crypto-promise')` re-triggers the same remote fetch and execution. The payload host is mutable, anonymous, unpinned, and unverified — the package author can swap in arbitrary code at any time. The package name impersonates the legitimate `crypto-promise` package: the README copies the real package's example code and embeds the real package's npm badge link, and the homepage points at the legitimate maintainer's GitHub repo. Installer impact: any `npm install` or `require()` of this package executes attacker-controlled Node.js code on the installer's machine.\n","modified":"2026-06-11T05:46:31.396156435Z","published":"2026-06-11T04:49:31Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-11T04:49:31Z","versions":["1.0.1"],"import_time":"2026-06-11T05:40:59.001689617Z","source":"amazon-inspector","sha256":"0f5a7a6c89bed501873fcf3ed3eee38f5198ef5224d71038324f3543380feb5e","id":"IN-MAL-2026-005480"},{"modified_time":"2026-06-11T04:49:31Z","versions":["1.0.1"],"import_time":"2026-06-11T05:40:58.904783131Z","source":"amazon-inspector","sha256":"a9d677e45bee46911d04564e9260f4b569119a4ca0a13a58bcd43760359fbb4f","id":"IN-MAL-2026-005479"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/js-crypto-promise/v/1.0.1"}],"affected":[{"package":{"name":"js-crypto-promise","ecosystem":"npm","purl":"pkg:npm/js-crypto-promise"},"versions":["1.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/js-crypto-promise/MAL-2026-5569.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"sha256":"e7c772a541f61ef9cd7b77f1d6f2d216faa593b0348cf76f483df6ea873c2335","path":"prepinstall.js","tlsh":"8ee0225f3677ab7d2f700ed4983286764d12a020f6c2e5e0a50a80176a8b78a114bfe8"},{"sha256":"13aae5311a4162d7847e0be6ff1545db0a994dd8fe2d3e911617a9055fc2589f","path":"package.json","tlsh":"f9016896cc68d8672bc421f26c7e110bf62048474919fc0a73c7860c0b8e8ab01bc26d"},{"sha256":"72c465459ec2b1ccce5cee1a8357a218107a7da7198a3c396acdc3ac5abc51e5","path":"index.js","tlsh":"6b01d8497efcf0d703d1a0d7453bfb81ed92b0a3b2008b65938bea5cc5e1168c93a594"}],"domains":["jsonkeeper.com"],"package_integrity":[{"filename":"js-crypto-promise-1.0.1.tgz","hashes":{"sha512_sri":"sha512-7zhn4EGpns+43OCWvRZZKU6cb4FxdF+nMHPYduQ1qyu+WWd5cJ3u3PvQSyuyVEV7D4JT15QgZSTaKtqhAOPWEA==","sha1":"16cb9ac29c00ff5c1a9412f8039643867e91b65d"}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}