{"id":"MAL-2026-6575","summary":"Malicious code in @ibrahim1337/baksen (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3594b83aa12e5ab4985211494b6b6f73f6def91aae1210e0ae55f28e572d79a8)\nPackage @ibrahim1337/baksen@2.0.3 is a Windows x64 browser credential stealer. The entry point loads bytenode and executes the V8-bytecode-compiled `index.jsc`, which detects installed Chromium-family browsers (Chrome, Brave, Edge), terminates the browser processes via `taskkill /F /IM` to release database locks, reads each browser's `Local State` to extract the `app_bound_encrypted_key`, then invokes a shipped native Windows addon at `build/Release/debugelevator.node` to perform an App-Bound Encryption bypass via a debug session against the browser process. The decrypted master key is then used to read each browser profile's `Cookies` and `Login Data` SQLite databases (`SELECT encrypted_value FROM cookies`, `SELECT origin_url, username_value, password_value FROM logins`) and write cleartext cookies and saved passwords to local `_cookies/` and `_passwords/` directories. The package ships no C/C++ source and no `binding.gyp` — the 676 KB prebuilt `.node` binary exists solely to defeat Chromium App-Bound Encryption. A companion `src/license.jsc` is js-confuser obfuscated (numeric string-array, control-flow flattening, base64 decoders) and constructs a remote license-check URL, further hiding behavior from source review. The package has no README, `repository` is a placeholder (`yourusername`), and the description is just `baksen` — cover-story metadata for a credential-theft toolkit. Installing and running this package on Windows results in theft of the developer's browser cookies (live session tokens) and saved website passwords.\n","modified":"2026-06-29T07:16:43.477970588Z","published":"2026-06-29T05:24:50Z","database_specific":{"malicious-packages-origins":[{"sha256":"2f30b699682dfdb02ea4c678ae852f449ee33f3aff57b44206a52387fdacf996","id":"IN-MAL-2026-007737","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"import_time":"2026-06-29T07:09:09.013244589Z","versions":["2.0.1"],"source":"amazon-inspector","modified_time":"2026-06-29T05:24:50Z"},{"sha256":"3594b83aa12e5ab4985211494b6b6f73f6def91aae1210e0ae55f28e572d79a8","id":"IN-MAL-2026-007740","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"import_time":"2026-06-29T07:09:09.236457233Z","versions":["2.0.3"],"source":"amazon-inspector","modified_time":"2026-06-29T05:25:16Z"},{"sha256":"3c70e5ca03f88c3002eb0d2dcb4bd54dd235b13e91565d112deb4fa370181010","id":"IN-MAL-2026-007739","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"import_time":"2026-06-29T07:09:09.156398945Z","versions":["1.5.0"],"source":"amazon-inspector","modified_time":"2026-06-29T05:25:07Z"},{"id":"IN-MAL-2026-007738","sha256":"491ac4df82e71d23eb5184150e9890b8aaaf00183be840b75e14ec1c6ff986a3","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"import_time":"2026-06-29T07:09:09.100161745Z","versions":["2.0.0"],"modified_time":"2026-06-29T05:24:58Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@ibrahim1337/baksen/v/2.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@ibrahim1337/baksen/v/2.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@ibrahim1337/baksen/v/1.5.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@ibrahim1337/baksen/v/2.0.0"}],"affected":[{"package":{"name":"@ibrahim1337/baksen","ecosystem":"npm","purl":"pkg:npm/%40ibrahim1337%2Fbaksen"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["2.0.1","2.0.3","1.5.0","2.0.0"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@ibrahim1337/baksen/MAL-2026-6575.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-OQJUvMWDMG7j4bihgl6aZChSKAcMv6pMAK6U0JL/HGitnGI8RnrGyJiP96bG5fxQRNaZIFBEWSeSLMmrEGaJlQ==","sha1":"74c127d3f042c977cf8976352347ce5249c2d132"},"filename":"baksen-2.0.1.tgz"}],"evidence_files":[{"sha256":"1d7cd48aa929293a396053dbfff97878d17ba0010e171c8d64c279cc11f6996b","path":"index.jsc","tlsh":"67133a117f9eaa6bf469537240af1242373bd5163f23831b170a512f2da39e86ece315"},{"sha256":"50c07a8c2b625d2e6a53eb3751aab9a7357e5a89b66464877086d02cdfc1f627","path":"build/Release/debugelevator.node","tlsh":"5ce4f7a7ed407476ec34503589d3076ba37fb1819362828b2758253e6e97be42f36f84"},{"sha256":"709925e9a9275afd5297350972e52a83a209f5692a3e488e10f7a8e41356fa7f","path":"index.js","tlsh":"00a011c82bb2a2ce22288080c8a08a0238c2c0b0000a8020aa008aea00c88c80aa8cb0"},{"sha256":"58a7fc787d2c6b205b7c3b91108c268f841f4205b8bd24a31095ecf39adef464","path":"package.json","tlsh":"1b112164c4b40ca31bd83990ec7e1a46b2625c478968fc0933e3521c9f9e4a712be67d"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}