{"id":"MAL-2026-6216","summary":"Malicious code in aikaf668897 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (450730a92143c06530923dacda588a17252ebc7edc9ddf71ff520446de5a3293)\nOn `npm install`, the package's postinstall hook (`node scripts/postinstall.js`) spawns a detached background Node process running `scripts/shell.js` with `detached: true, stdio: 'ignore', windowsHide: true` and `.unref()`, so the child survives npm install completion and runs invisibly. `scripts/shell.js` opens a TCP socket to the hardcoded bare IP `114.67.90.67` on port `3333` and pipes a local shell (`/bin/sh` on Unix, `powershell.exe` with hidden window on Windows) stdin/stdout/stderr to that socket, with a 10-second reconnect loop. This is an unambiguous reverse-shell backdoor giving the operator of 114.67.90.67 interactive command execution on the installer's machine. The package's advertised purpose (a string-manipulation utility, with `index.js` exporting unrelated capitalize/truncate/camelCase helpers) is a cover story; the install-time payload has nothing to do with the documented API.\n","modified":"2026-06-19T15:47:24.437799003Z","published":"2026-06-19T15:31:36Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-19T15:31:36Z","versions":["1.0.3"],"sha256":"450730a92143c06530923dacda588a17252ebc7edc9ddf71ff520446de5a3293","id":"IN-MAL-2026-007084","source":"amazon-inspector","import_time":"2026-06-19T15:41:56.029498538Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/aikaf668897/v/1.0.3"}],"affected":[{"package":{"name":"aikaf668897","ecosystem":"npm","purl":"pkg:npm/aikaf668897"},"versions":["1.0.3"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-30t7vfWfeBc+LGuKmgiwwgMQ4f8gOczqMN0VcoOpdc6BKFhnuGvKGOOf05yjmH8mrAjd8PG61h9yMBJhJLzLng==","sha1":"449fcb5e099f7cd01cb5cd5babed9fd7a49f10ad"},"filename":"aikaf668897-1.0.3.tgz"}],"evidence_files":[{"sha256":"4dca6ea555f973adbe2bbe48498c7e4e320e4e13cc2d1c79c1b701ea40a9e998","tlsh":"8d11029451b5413b03bb8875899bc4323233d2137717e7c433dd105d9f838a81e9a5f0","path":"scripts/shell.js"},{"sha256":"20d2859a52b6f2bf12083b85a9332ef9c4be9dbdceab735e0789c7f15bb5a5c7","tlsh":"b8e0eb2ab3a2023cb1bac7c0bb5a33372a0b9700a3901020c9ae1067078739e81330e7","path":"scripts/postinstall.js"},{"sha256":"cc916e827ab47e9a8524a5861646959fe36da7ff879cc36a8527e8de274d608e","tlsh":"f9f04c28ce205d3319d92a566da9540ab171580b0944bc187bd3801c5fae7bf54ff31d","path":"package.json"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/aikaf668897/MAL-2026-6216.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}