{"id":"MAL-2026-5938","summary":"Malicious code in speed4 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (979f38f25a707a09a4469b3dd0f24c603e2d9a195eaaa9b2a9ea3d84076dc9d0)\nspeed4@1.1.7 is part of a self-cloning namespace-squatting family. The tarball contains `auto-publish.sh` which sets `BASE=\"speed\"`, `TOTAL=5`, copies the package contents into `tmp_speedN` directories, rewrites `package.json.name` to `speed1`..`speed5`, and runs `npm publish --silent` for each variant. Nested leftover directories `tmp_speed3/tmp_speed2/tmp_speed1/` shipped inside the tarball confirm the script has been executed at least three times and that all five `speedN` packages distribute identical content. Package metadata is consistent with a squat: generic short name, `\"description\": \"package\"`, empty `author` field. The served content is a deceptive HTML page (`index.html`) that advertises a 'Riverbend Tutoring' brand while registering first-gesture click/keydown/touchstart handlers that call `window.open('https://abdct.com/', '_blank', 'noreferrer')` to redirect visitors to an unrelated third-party domain. The tarball additionally bundles a dozen heavily obfuscated JavaScript assets under `assets/` (hex-identifier renamed, single-line minified) duplicated across the nested clone directories. Installing or pulling this package into a build hands the consumer an attacker-controlled deceptive payload bundled under multiple confusable short names on the registry.\n","modified":"2026-06-17T00:16:41.997457431Z","published":"2026-06-16T23:42:21Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006859","import_time":"2026-06-17T00:00:53.865444756Z","modified_time":"2026-06-16T23:42:21Z","versions":["1.1.7"],"sha256":"979f38f25a707a09a4469b3dd0f24c603e2d9a195eaaa9b2a9ea3d84076dc9d0","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/speed4/v/1.1.7"}],"affected":[{"package":{"name":"speed4","ecosystem":"npm","purl":"pkg:npm/speed4"},"versions":["1.1.7"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"tlsh":"b0f0dd85a6ae0d143d1f04ff6a8700d95647d32a54abba80e1c252d59ed2616b4078c8","path":"auto-publish.sh","sha256":"3e4fdc22ab24745f0c64523657eb9bee1ce81d4174a1ba665ed551ffa59998c5"},{"tlsh":"2d226507fee295325673112dbb2a7180ff31810b62158d44b9ed539c2f06a6ac7f36ad","path":"index.html","sha256":"f184e7a00feeeb351e64f9d6ced030eb58efa8493c49b081dee9b3c0fc46b23c"}],"package_integrity":[{"filename":"speed4-1.1.7.tgz","hashes":{"sha512_sri":"sha512-wEpnpbfiKpWvD+yv1I0vQHoDYe+7OR3SA2TXtLv9W6LUUHDOKmEpO1l91FHegWrluPoesdcbGBE+f9TXQSo7Fw==","sha1":"5d01c43f73f1713e02227866c7fe9e15e9deb2b2"}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/speed4/MAL-2026-5938.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}