{"id":"MAL-2026-5896","summary":"Malicious code in jest-test-plugin-utils (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3f948eff13632557a65152c587b6aa87783e49cf40504aedca8ee15da6ed205e)\nThe package advertises itself as a Jest plugin (name: 'jest-test-plugin-utils', description: 'mqtt utils') but ships no Jest or MQTT functionality. Its main entry dist/index.js is a heavily obfuscated 200KB browserify bundle (obfuscator.io fingerprint: 1299-entry rotated string array, decoder wrapper, control-flow flattening; built with the declared devDependency 'gulp-javascript-obfuscator'). After deobfuscation, the only meaningful behavior is a function loadFilbetScriptSilently() (exposed as window.__fetchFilbetScript__) that creates a \u003cscript\u003e element with src='https://cdn.jsdelivr.net/gh/gongben2024/network-security@main/src/filbet.js' and appends it to document.head, executing whatever code the author hosts at that mutable @main branch. The destination repository is named 'network-security' under author 'gongben2024' and is unrelated to the package's stated purpose. Because the reference is to the @main branch (not a pinned commit/tag), the author can change the executed payload at any time without republishing this package. Any application that bundles or imports this module will execute attacker-controlled JavaScript in the browser context, with full access to the host page's DOM, cookies, and storage. The combination of name camouflage, heavy obfuscation, and unpinned remote-script execution is a deliberate supply-chain attack pattern.\n","modified":"2026-06-16T16:16:47.922937697Z","published":"2026-06-16T15:37:20Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","modified_time":"2026-06-16T15:37:24Z","sha256":"3f948eff13632557a65152c587b6aa87783e49cf40504aedca8ee15da6ed205e","id":"IN-MAL-2026-006765","import_time":"2026-06-16T16:06:34.427097256Z","versions":["1.0.0"]},{"sha256":"54c5196f3361da72dfccd2c8abb0caba132415f9907602c5a6ec92d6da2e077f","modified_time":"2026-06-16T15:37:23Z","import_time":"2026-06-16T16:06:34.332185997Z","id":"IN-MAL-2026-006764","versions":["1.0.2"],"source":"amazon-inspector"},{"source":"amazon-inspector","modified_time":"2026-06-16T15:37:30Z","sha256":"bb80fa98045e0dd75514425f419aa986e7e57bfa888d8baaa8c5eb0016418f83","id":"IN-MAL-2026-006766","import_time":"2026-06-16T16:06:34.568829617Z","versions":["1.0.1"]},{"sha256":"f5445eba984ab32829120583a68c6bfc2fa8aec2f875b506c873de598f1d27d1","modified_time":"2026-06-16T15:37:20Z","import_time":"2026-06-16T16:06:34.127682958Z","id":"IN-MAL-2026-006763","versions":["1.0.4"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/jest-test-plugin-utils/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/jest-test-plugin-utils/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/jest-test-plugin-utils/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/jest-test-plugin-utils/v/1.0.4"}],"affected":[{"package":{"name":"jest-test-plugin-utils","ecosystem":"npm","purl":"pkg:npm/jest-test-plugin-utils"},"versions":["1.0.0","1.0.2","1.0.1","1.0.4"],"database_specific":{"indicators":{"evidence_files":[{"path":"dist/index.js","sha256":"a61584375c14c072e01ec862ed28d36ff0157245a5b195229da9dafa8946a040","tlsh":"e514404077c0b844538b1fba766fb4e5e46b1de934c4090bc515fca0f5baa26fae2934"},{"path":"package.json","sha256":"b152b66b1f3a7e2634d7dcdb3cf45409e2fa55d9770b061f6f6f5c92db06f513","tlsh":"fdf02734dd71987306e820e51c682167e0709d2bc245fd1c33c7140c4a5f2eb64be6ac"}],"package_integrity":[{"filename":"jest-test-plugin-utils-1.0.0.tgz","hashes":{"sha512_sri":"sha512-ipOiWo9EBBPkhnInqSV4Se9fDI6iUR/13dKvtt04vFctEePsyzs2NuYD4JAkmm/jZw7gpc7hDbyCvCBjIWlK2Q==","sha1":"b8a42abd71c8e56f7560f015cdc53596b0f9b476"}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/jest-test-plugin-utils/MAL-2026-5896.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}