{"id":"MAL-2026-6215","summary":"Malicious code in aikaf6688812 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (fcdebe342ec1c629835301869934fab1a4800c98116a337ec33b05def92d33e7)\npackage.json declares a `postinstall` hook that runs `scripts/postinstall.js`, which spawns `scripts/shell.js` as a detached, stdio-ignored background process (`spawn(process.execPath, [path.join(__dirname, 'shell.js')], { detached: true, stdio: 'ignore', windowsHide: true })`). scripts/shell.js opens a TCP socket to the hardcoded host 114.67.90.67 on port 3334 and pipes the local shell to that socket — `/bin/sh -i` on POSIX, hidden `powershell.exe` on Windows — with an automatic reconnect loop every 10 seconds. Any machine that runs `npm install aikaf6688812` immediately yields persistent interactive shell access at the operating-system level to whoever controls 114.67.90.67. The package's stated purpose is string utilities; the network and shell behavior is unrelated to that purpose. Author metadata (`frontend-dev`) and the repo URL point to a non-existent GitHub project, consistent with a disposable lure.\n","modified":"2026-06-19T15:47:24.338451790Z","published":"2026-06-19T15:31:30Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.3"],"import_time":"2026-06-19T15:41:55.985426757Z","sha256":"fcdebe342ec1c629835301869934fab1a4800c98116a337ec33b05def92d33e7","source":"amazon-inspector","id":"IN-MAL-2026-007083","modified_time":"2026-06-19T15:31:30Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/aikaf6688812/v/1.0.3"}],"affected":[{"package":{"name":"aikaf6688812","ecosystem":"npm","purl":"pkg:npm/aikaf6688812"},"versions":["1.0.3"],"database_specific":{"indicators":{"package_integrity":[{"filename":"aikaf6688812-1.0.3.tgz","hashes":{"sha512_sri":"sha512-a1c+OZeLNbJVidEXSa2vWjqDJyUxx1fPRFbLrEojvw0bO84cm1xXyNIOA2JoyOHe7xaVwdtoZnFnAJzprsXW/Q==","sha1":"125c2f1172d66d7c75c9ea920566d1845fbd6901"}}],"evidence_files":[{"sha256":"1b4e8023296a6d0050dc5ec500a43ac32c0374272d4cd5e403a60d47f904277d","tlsh":"2d110ea461b5823b03bb89b589abc4323233d2137717e7c433dd105d9f838a81eaa5f0","path":"scripts/shell.js"},{"sha256":"3c99ed9ea3d7d9c55eb08a5793b6aae0fe0332d40dbd7c4ba899b3be3bf8371f","tlsh":"b7f04c68ce205d3319d856525da9540ab171581b4944bc187bd3801c5fae7bf54ff31e","path":"package.json"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/aikaf6688812/MAL-2026-6215.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}