{"id":"MAL-2026-5790","summary":"Malicious code in ldpbootstrap-jquery (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (bcab02ae44d1604b6fa9e80156a8c5882f7a4809470ff59eb6d14db4bf28f91f)\nldpbootstrap-jquery ships and executes an obfuscated Windows PowerShell payload as part of its documented usage. The package contains dist/ps1-stub.enc.hex, an 8KB opaque hex-encoded blob, and dist/bootstrap.js decrypts it with a hardcoded XOR key (f633ffeeffbbc09da9f2b477e1183294), writes the decrypted PS1 to %LOCALAPPDATA%\\Landpage\\\u003cps1FileName\u003e, and invokes it via `powershell.exe -NoProfile -ExecutionPolicy RemoteSigned -WindowStyle Hidden -File \u003cpath\u003e` — explicitly bypassing execution policy and hiding the window. bootstrap.js also fetches a session-specific PS1 over plain HTTP from a consumer-configured apiBase (README example: http://192.168.1.143:3001) using MSXML2.ServerXMLHTTP with session/fingerprint headers, then writes and executes it via the same hidden PowerShell flow. The README explicitly documents AV evasion as a design goal, referencing docs/HTA-AV-HYGIENE.md and describing per-session XOR key derivation in an HTA context for MSI delivery. The shipped encrypted blob, hardcoded decryption key, hidden-window/policy-bypass PowerShell execution, and author-documented anti-virus evasion together constitute malware-distribution infrastructure. Although the harmful flow is invoked through the package's API rather than auto-running on `npm install` or `require()`, any developer using the package as documented will execute attacker-shaped, AV-evading PowerShell on Windows endpoints.\n","modified":"2026-06-15T17:31:48.385830230Z","published":"2026-06-15T15:53:31Z","database_specific":{"malicious-packages-origins":[{"sha256":"081cd4ae661f00aaa38c17590d935425f436c732eecba4af50d227c8f4879554","import_time":"2026-06-15T17:22:46.315326912Z","id":"IN-MAL-2026-006504","source":"amazon-inspector","versions":["1.0.10"],"modified_time":"2026-06-15T15:53:37Z"},{"sha256":"0fd0758eaec7ae489cbbaf58b250db2efc14607c06c2774f2fe7bf64782769fc","import_time":"2026-06-15T17:22:45.807868228Z","id":"IN-MAL-2026-006497","source":"amazon-inspector","versions":["1.0.15"],"modified_time":"2026-06-15T15:53:33Z"},{"sha256":"67a1d48a2560b4d157c03265d3445ead2ecff56c91769c4fc45e5d8ec06affe8","import_time":"2026-06-15T17:22:45.950707405Z","versions":["1.0.11"],"source":"amazon-inspector","modified_time":"2026-06-15T15:53:35Z","id":"IN-MAL-2026-006499"},{"sha256":"6f7b8473f32885d965ba7f36c7dd2dca9789a87db43949e35988d75f1926d299","import_time":"2026-06-15T17:22:45.748409491Z","versions":["1.0.13"],"source":"amazon-inspector","modified_time":"2026-06-15T15:53:31Z","id":"IN-MAL-2026-006496"},{"sha256":"71957c93a274979ca6de0d40b51e8bd32d85592e6a77debf32439c936632cd26","import_time":"2026-06-15T17:22:46.196747908Z","modified_time":"2026-06-15T15:53:36Z","source":"amazon-inspector","id":"IN-MAL-2026-006502","versions":["1.0.10"]},{"sha256":"bcab02ae44d1604b6fa9e80156a8c5882f7a4809470ff59eb6d14db4bf28f91f","import_time":"2026-06-15T17:22:45.873707494Z","modified_time":"2026-06-15T15:53:34Z","source":"amazon-inspector","id":"IN-MAL-2026-006498","versions":["1.0.11"]},{"sha256":"e1bb4fb444cd0d88009ae97fe127905df0eb1b09436f89e2d4625cbabaab85b4","import_time":"2026-06-15T17:22:46.271673155Z","modified_time":"2026-06-15T15:53:36Z","source":"amazon-inspector","id":"IN-MAL-2026-006503","versions":["1.0.9"]},{"sha256":"f10a9875281cbae30c18a5f6a8bcdfd9b4be989a35b7122aff4d7653ca47a20e","import_time":"2026-06-15T17:22:46.122263011Z","id":"IN-MAL-2026-006501","source":"amazon-inspector","versions":["1.0.9"],"modified_time":"2026-06-15T15:53:36Z"},{"sha256":"0cfe4fa0ac12c2797913fee881e32d32bd0ea715222b3ae9bdfd1fb4bd538139","import_time":"2026-06-15T17:22:46.030975661Z","modified_time":"2026-06-15T15:53:35Z","source":"amazon-inspector","id":"IN-MAL-2026-006500","versions":["1.0.13"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ldpbootstrap-jquery/v/1.0.15"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ldpbootstrap-jquery/v/1.0.13"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ldpbootstrap-jquery/v/1.0.10"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ldpbootstrap-jquery/v/1.0.11"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ldpbootstrap-jquery/v/1.0.9"}],"affected":[{"package":{"name":"ldpbootstrap-jquery","ecosystem":"npm","purl":"pkg:npm/ldpbootstrap-jquery"},"versions":["1.0.10","1.0.15","1.0.11","1.0.13","1.0.9"],"database_specific":{"indicators":{"ips":["104.16.5.34"],"evidence_files":[{"sha256":"e284cf76d838fba3aa5080d323a304524da79f2d43ab87f6259c6cb5cf553b06","path":"dist/bootstrap.js","tlsh":"edc1e64435d1f96a635259b1a6ffc100a136790a346dc231e7d0f59f788a2b8cb3eec9"},{"sha256":"7ec5a4c93df0a1e33fe80c24a58b34c07c6014ed9c7bccd20e75af911fb69f83","path":"dist/bootstrap-loader.min.js","tlsh":"4311ef083ad2987a539700e5b4bfc14ab0322e21450dd120d6c6cda83c69d9ec537eec"},{"tlsh":"8d4163a98fd11149c831c387709b6db0cae7709559c870adcbdeb329452d9a3a23f707","path":"README.md","sha256":"b856604c5578fd4839b2923683612a27b7b509a34675da07463b57544cc0d9dd"}],"package_integrity":[{"filename":"ldpbootstrap-jquery-1.0.15.tgz","hashes":{"sha1":"dc1c169a507ea510728679a0134e473b73ba27ec","sha512_sri":"sha512-kJwOG4O/rq8mwAfFqLFKSUI8VILB7ImHgoginSRF10O+KwVsjDV/41LrW+bV5FRcvyeY1Q+2vKW9MDUCG0O6Mg=="}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ldpbootstrap-jquery/MAL-2026-5790.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}