{"id":"MAL-2026-6217","summary":"Malicious code in aikaf788812 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c91950cef6a5f877a4a9bca074501e4c910dc50008d4c8c2623ddc21f08e31f2)\nPackage masquerades as a string-utility library but ships a postinstall backdoor. On `npm install`, scripts/postinstall.js spawns scripts/shell.js as a detached background process (stdio:'ignore', windowsHide:true) that survives the install lifecycle. shell.js attempts multiple reverse-shell methods — a Node net socket piping /bin/sh or powershell, bash /dev/tcp, and a Python socket+subprocess payload — connecting to 114.67.90.67 on ports 3334, 4444, 443, 80, 8080, and 53. It additionally issues an HTTP GET to http://114.67.90.67:8333/ping carrying the installer's hostname, username, cwd, and OS platform/release as query parameters, fingerprinting the victim and confirming compromise. A setInterval keep-alive plus an infinite Python reconnect loop maintain persistent C2 access on the installer's machine.\n","modified":"2026-06-19T15:47:26.774697895Z","published":"2026-06-19T15:31:29Z","database_specific":{"malicious-packages-origins":[{"sha256":"c91950cef6a5f877a4a9bca074501e4c910dc50008d4c8c2623ddc21f08e31f2","source":"amazon-inspector","import_time":"2026-06-19T15:41:55.920151939Z","id":"IN-MAL-2026-007082","versions":["1.0.3"],"modified_time":"2026-06-19T15:31:29Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/aikaf788812/v/1.0.3"}],"affected":[{"package":{"name":"aikaf788812","ecosystem":"npm","purl":"pkg:npm/aikaf788812"},"versions":["1.0.3"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/aikaf788812/MAL-2026-6217.json","indicators":{"package_integrity":[{"filename":"aikaf788812-1.0.3.tgz","hashes":{"sha1":"9864c93fe6c3649d73c974b8238b9317c998f830","sha512_sri":"sha512-mTwJdxKILaBcVWh6rI5WbZRJnFN94dVRMg22BmKNrnS2bKQrDhjZGmtgau6+DjvXE5MBK+7NFdzVe+Jo42rbVQ=="}}],"evidence_files":[{"tlsh":"7081a5b445ba442d3377975f820b103163aba1072d1ae6a836bc53436fd2dbc5863af4","sha256":"9a9278d74630388e996735bb2e778f572010a2952c9304495f41cbd43adbecee","path":"scripts/shell.js"},{"tlsh":"b8e0eb2ab3a2023cb1bac7c0bb5a33372a0b9700a3901020c9ae1067078739e81330e7","sha256":"20d2859a52b6f2bf12083b85a9332ef9c4be9dbdceab735e0789c7f15bb5a5c7","path":"scripts/postinstall.js"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}