{"id":"MAL-2026-6317","summary":"Malicious code in ts-bn-lint (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e591f0b407bc22e3abe20da9207df2d2922f75d98ab97aaa62557ca88b8fc349)\nts-bn-lint@3.1.19 is a credential harvester disguised as a TypeScript/lint utility. index.js defines `decodeStr` which base64-decodes all operationally sensitive strings, including the C2 endpoint `https://data-stream.space/api/v1` (index.js:32) and the target filename patterns `.env`, `config.toml`, `Config.toml`, `config.json`, `id.json`, and `env` (index.js:13-18). The exported `from_str` function recursively walks `process.cwd()` collecting files matching those patterns, then gathers shell histories by invoking `execSync(\"bash -c history\")` and `execSync(\"zsh -c 'fc -l -1000'\")` (index.js:101, 117), tagging each upload with the local username and IP for victim correlation before POSTing to the C2 endpoint. The `id.json` target is the standard Solana CLI keypair file; `.env` and `config.*` typically contain API keys and database credentials. The package's own `test.js` calls `from_str()` unconditionally, so `npm test` triggers exfiltration; any consumer who requires the package and calls the exported function does the same. Package metadata is empty (no author, no description) and the name impersonates the TypeScript/lint tooling namespace.\n","modified":"2026-06-23T17:01:29.514096560Z","published":"2026-06-23T16:11:21Z","database_specific":{"malicious-packages-origins":[{"sha256":"86ac26ab369f912cd3ec3498348b0182ff37868633087294b69c1cc583e184f6","id":"IN-MAL-2026-007263","import_time":"2026-06-23T16:54:12.753171106Z","versions":["5.8.0"],"source":"amazon-inspector","modified_time":"2026-06-23T16:11:21Z"},{"id":"IN-MAL-2026-007272","sha256":"e591f0b407bc22e3abe20da9207df2d2922f75d98ab97aaa62557ca88b8fc349","import_time":"2026-06-23T16:54:13.577464342Z","versions":["3.1.19"],"source":"amazon-inspector","modified_time":"2026-06-23T16:11:28Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ts-bn-lint/v/5.8.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ts-bn-lint/v/3.1.19"}],"affected":[{"package":{"name":"ts-bn-lint","ecosystem":"npm","purl":"pkg:npm/ts-bn-lint"},"versions":["5.8.0","3.1.19"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-bn-lint/MAL-2026-6317.json","indicators":{"package_integrity":[{"filename":"ts-bn-lint-5.8.0.tgz","hashes":{"sha512_sri":"sha512-ZHB6JWwY4HKnFANqFqbdqDsnUuicEvoR6joQlyvAXJ95RzKpl0JgoaIBMOSeGtpuKqUua2HcQtCbzVeYc3wpeg==","sha1":"d7e02f1c1ce21b3a5ce1a954c19c38de4cb445b3"}}],"evidence_files":[{"sha256":"96307f0ca4a0914857019add5e6da267f10f3c278fa82e50e02787b2ca200eea","path":"big.js","tlsh":"73c2658c3ac67579593363788f465088eb38525712c8b186b4ae63b46f78cb107b5fdc"},{"sha256":"6c0e820b07fea88509abfa39be963df1f4baae6604c636101d9d71439ccda091","path":"package.json","tlsh":"66210463c9a19da70af85b94bc6c43aaf2161b2f41a05c57b07b130c5f3355b2096bbd"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}