{"id":"MAL-2026-6563","summary":"Malicious code in @thone33/analytics-injector (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (dcef0ea3fd19d9b238a097485faaf7db52d5aa4363653fd7fb29f4c0ff251f92)\nPackage presents itself as an 'analytics injection helper' with a no-op track() export, but its exported activate() function fetches a JavaScript file from https://raw.githubusercontent.com/Dennisfrr/c2-stager/main/the assessment.js (mutable main branch, no integrity check) and passes the response body directly to eval, with fetch errors silently swallowed. Any consumer that imports and invokes activate() executes attacker-controlled JavaScript with full Node process privileges, and the upstream content can change at any time without a package update. The cover-story naming (analytics-injector / track) alongside a remote source repository explicitly named c2-stager indicates deliberate misdirection rather than a legitimate loader pattern.\n","modified":"2026-06-29T05:16:43.675813202Z","published":"2026-06-29T04:50:56Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","versions":["1.0.1"],"id":"IN-MAL-2026-007735","import_time":"2026-06-29T05:07:08.505593908Z","modified_time":"2026-06-29T04:50:56Z","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"sha256":"1926b397e25982fd701d5c1b84b62b63c430b3af2b668c851e5e90d197e34ebb"},{"modified_time":"2026-06-29T04:51:06Z","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"sha256":"dcef0ea3fd19d9b238a097485faaf7db52d5aa4363653fd7fb29f4c0ff251f92","source":"amazon-inspector","versions":["1.0.0"],"id":"IN-MAL-2026-007736","import_time":"2026-06-29T05:07:08.606854805Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@thone33/analytics-injector/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@thone33/analytics-injector/v/1.0.0"}],"affected":[{"package":{"name":"@thone33/analytics-injector","ecosystem":"npm","purl":"pkg:npm/%40thone33%2Fanalytics-injector"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["1.0.1","1.0.0"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@thone33/analytics-injector/MAL-2026-6563.json","indicators":{"evidence_files":[{"path":"index.js","sha256":"d4e051824bf47c38ca26eb48d6f7adf2fd4b87b6ec7a46d15d3988cb4fd500fc","tlsh":"92f0ec9fa48d34748d37f364b35b4145f4326767aa90e174b15ddb044f70f6124b1d28"}],"package_integrity":[{"hashes":{"sha1":"c759d9ce7c1cbf3b2c70c45745445e11655b5a48","sha512_sri":"sha512-TDQQao1u0VQkQpzMyGRRprTK003Ma8ezjKeM2JIPyIvjLArI8g6PrlyNdOgtcAc1Fhu9ebLlh312TKmc5LF6TA=="},"filename":"analytics-injector-1.0.1.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}