{"id":"MAL-2026-6191","summary":"Malicious code in node-slot (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (91f23a964fca4e1984aecce2dbc51fc6bfa1ffe77725ee5f0e8d2f7a5c5514d8)\nnode-slot 1.0.7 contacts https://datasecure-service.vercel.app/api/v1 to retrieve scan and block patterns, then walks the user's home directory (or non-C: drives on Windows) for files matching extensions such as.env,.json,.toml,.pdf,.docx and uploads them via multipart POST (axios.post(UPLOAD_URL, form,...) at index.js:78) along with the OS username and platform. On Linux it additionally fetches an attacker-supplied SSH public key from /api/ssh-key and appends it to ~/.ssh/authorized_keys (fs.appendFileSync(authKeys, sshKey + \"\\n\", { mode: 0o600 })), then runs `sudo ufw enable` and `sudo ufw allow 22/tcp` to ensure the operator can reach the SSH service — granting persistent remote shell access to the installer's machine. Server-controlled scan/block patterns let the operator retarget the harvester without republishing. package.json has empty author/description and lists Node built-in names (`child_process`, `os`) as fake dependencies — disguise consistent with a deliberately malicious package.\n","modified":"2026-06-19T05:31:47.401723603Z","published":"2026-06-19T05:10:55Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","id":"IN-MAL-2026-007056","import_time":"2026-06-19T05:16:50.43022462Z","sha256":"91f23a964fca4e1984aecce2dbc51fc6bfa1ffe77725ee5f0e8d2f7a5c5514d8","modified_time":"2026-06-19T05:10:55Z","versions":["1.0.7"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/node-slot/v/1.0.7"}],"affected":[{"package":{"name":"node-slot","ecosystem":"npm","purl":"pkg:npm/node-slot"},"versions":["1.0.7"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-slot/MAL-2026-6191.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-FoI8QhI2uUR24QDXNEJl0adLuseb3qQ7itbnnbweOVX4ABJEvibABoFUESK2/rgLlGBQV9e5OgDkKtJR7N75aQ==","sha1":"5580f520d5917acc8e2efaf8b516a74079983910"},"filename":"node-slot-1.0.7.tgz"}],"evidence_files":[{"sha256":"653e32a8394f5149f3e86b7b8fdaeb8f1103ac9f3211b0410b08476420a5de37","tlsh":"372244a955773626ca7263f85a07001eff6bd53339118285f2ec42843f7a91861e6eec","path":"index.js"},{"sha256":"ffdad8826ac95345dab74f070ab9166631af306d57305d1d66e7e3a07ba1385b","tlsh":"3af09227ce589d6318f539a9297c0727f291932f0104880f35bd661c4fb65270085f1d","path":"package.json"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}