MAL-2026-6120

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@caspianph/storyteller/MAL-2026-6120.json

JSON Data

https://api.test.osv.dev/v1/vulns/MAL-2026-6120

Published

2026-06-18T16:09:47Z

Modified

2026-06-18T17:16:37.633602640Z

Summary

Malicious code in @caspianph/storyteller (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3bd24daaa395f2e6bfae7c6e6f488a6e114b87e2606ec1bce7dcd4ab6a92f40a)

The package ships setup.cjs containing heavily obfuscated JavaScript with hex-mangled identifiers (_0x32549a, _0x4b2b44, _0x78c349, _0x119ac2) typical of payload-hiding techniques. A file named setup.cjs in an npm package is structurally positioned to be invoked from a lifecycle hook (preinstall/install/postinstall) or required at module load. Legitimate npm packages do not obfuscate their install-time code; obfuscation in this position is overwhelmingly used to hide network beacons, credential reads, or dropper logic from casual inspection.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.1.13"
            ],
            "import_time": "2026-06-18T17:08:46.248534627Z",
            "id": "IN-MAL-2026-006986",
            "modified_time": "2026-06-18T16:09:47Z",
            "source": "amazon-inspector",
            "sha256": "3bd24daaa395f2e6bfae7c6e6f488a6e114b87e2606ec1bce7dcd4ab6a92f40a"
        }
    ]
}

References

https://www.npmjs.com/package/@caspianph/storyteller/v/1.1.13

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @caspianph/storyteller

Package

Name: @caspianph/storyteller; View open source insights on deps.dev
Purl: pkg:npm/%40caspianph%2Fstoryteller

Affected ranges

Affected versions

1.*

1.1.13

Database specific

indicators

{
    "package_integrity": [
        {
            "filename": "storyteller-1.1.13.tgz",
            "hashes": {
                "sha512_sri": "sha512-qxi4fUIsvUjqtIAZMj9lNGbxEt3jAVH9UO346sNBzYr6XXB2QFBmbcgA+16WFBZrXsEg0Uet+7aofKnUweGlmg==",
                "sha1": "10c76ebce0ae839094ffa71d324b9fcc8ce47f3f"
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "8da1835d2be5f491075a46a3312be0dae48b8c26b7168dccac00af787e84375e685d35",
            "path": "setup.cjs",
            "sha256": "6d74592e95cfaa3c8a34d6bf87a7ca5a0cb46d4503f7a0f53880fbc0e55534e2"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@caspianph/storyteller/MAL-2026-6120.json"