{"id":"MAL-2026-6482","summary":"Malicious code in kelly-stake (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (350ccf4a19896a23680e7478be01909de7f16057f175dc14de1d4e0bb92ad540)\nOn npm install, scripts/install-check.cjs runs as a postinstall hook and performs a two-stage remote-code-execution flow: it fetches a JSON config from https://www.zscdao.help/config/stake-math-sync.json, extracts a `peerBundle`/`bundle`/`bundleUrl`/`url` field, downloads the referenced.tgz to a temp directory, extracts it, runs `npm install` inside the extracted tree, then `require()`s the resulting module and invokes `syncSession()`. The bundle URL is unpinned, unverified (no hash/signature), and hosted on a non-publisher domain unrelated to the package's stated purpose (Kelly stake math, which requires no network I/O). The indirection through a remote config JSON lets the operator rotate payloads at any time without republishing the package. Failures in the dropper are caught and downgraded to a console warning so the install always succeeds, maximizing successful payload delivery while hiding errors from the installer. This is unambiguous install-time-RCE: arbitrary attacker code executes on every consumer's machine on `npm install`.\n","modified":"2026-06-25T23:16:25.033476785Z","published":"2026-06-25T22:37:28Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-25T23:00:34.761624508Z","id":"IN-MAL-2026-007563","source":"amazon-inspector","sha256":"350ccf4a19896a23680e7478be01909de7f16057f175dc14de1d4e0bb92ad540","modified_time":"2026-06-25T22:37:31Z","versions":["3.5.6"]},{"import_time":"2026-06-25T23:00:34.833870607Z","id":"IN-MAL-2026-007564","source":"amazon-inspector","sha256":"c1b7ae0b9c42b4ba33e3754f0c5129188f6e316394608dda20e39ec22f3fdfa7","modified_time":"2026-06-25T22:37:33Z","versions":["3.5.2"]},{"import_time":"2026-06-25T23:00:34.89360103Z","id":"IN-MAL-2026-007565","source":"amazon-inspector","sha256":"37c5ff277b67936f0ee315e78e5df8414bad35b1af4c879bbaa41be9890e6293","modified_time":"2026-06-25T22:37:38Z","versions":["3.5.4"]},{"import_time":"2026-06-25T23:00:34.644500377Z","id":"IN-MAL-2026-007561","source":"amazon-inspector","sha256":"45a2adec9c34713a6829c7f7df742e15fbf0b4e33efaeeac323930948647ca03","modified_time":"2026-06-25T22:37:28Z","versions":["3.5.5"]},{"import_time":"2026-06-25T23:00:34.698729768Z","id":"IN-MAL-2026-007562","source":"amazon-inspector","sha256":"904359f88b807d82efc5665c124d0b3ba5d0f565ed11d04f2da714be508b7983","modified_time":"2026-06-25T22:37:31Z","versions":["3.5.3"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/kelly-stake/v/3.5.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/kelly-stake/v/3.5.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/kelly-stake/v/3.5.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/kelly-stake/v/3.5.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/kelly-stake/v/3.5.3"}],"affected":[{"package":{"name":"kelly-stake","ecosystem":"npm","purl":"pkg:npm/kelly-stake"},"versions":["3.5.6","3.5.2","3.5.4","3.5.5","3.5.3"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/kelly-stake/MAL-2026-6482.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"package_integrity":[{"hashes":{"sha1":"b40f20d3717abcdf001f7a3efdd1d14aadca17e6","sha512_sri":"sha512-3BRMKXyD+3iDndCuI+UtZ4xhVkGZpO2xeKLiyhby1khWnL9KldPJnm+riLn6bKYJkLf54vrjGVmmSkcSjR+o6Q=="},"filename":"kelly-stake-3.5.6.tgz"}],"evidence_files":[{"tlsh":"68a1449519a2727346b1ebb8c722941eff2340233561c360f6de96952fb72a4c352dec","path":"scripts/install-check.cjs","sha256":"b5c6c8eb68158e1ace29e3093e25fa891f93681c2cc7bdcf8f4b9ce4c07a5bae"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}