MAL-2026-6698

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cursed-modules/MAL-2026-6698.json
JSON Data
https://api.test.osv.dev/v1/vulns/MAL-2026-6698
Published
2026-06-30T20:38:12Z
Modified
2026-06-30T21:46:38.535866810Z
Summary
Malicious code in cursed-modules (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0a7db807a976b54ad8fe1246159e9ac2e5830671792d2ae8e388bf30435d36c3)

Package version 999.0.3 (an extremely high version number consistent with a dependency-confusion attack against an internal package name) ships install-time and require-time credential theft directed at a hardcoded attacker endpoint. package.json declares all three lifecycle hooks (preinstall, install, postinstall) as node install.js. install.js reads /root/.ssh/idrsa, ided25519, authorizedkeys, knownhosts, ssh config, /root/.npmrc, /app/.git/config + git history, and the full process.env, base64-encodes the bundle and PUTs it to http://154.57.164.82:30843/api/modules/ECT-839201. index.js (the package main) runs a top-level IIFE on require() that dumps process.env, runs aws sts get-caller-identity, queries the AWS instance metadata service at http://169.254.169.254/latest/meta-data/iam/security-credentials/, and runs aws secretsmanager list-secrets, PUTing the results to the same attacker IP at path /api/modules/ECT-654321. recon.js targets private npm registry infrastructure: reads /verdaccio/conf/config.yaml, finds and reads Verdaccio htpasswd files, /root/.npmrc and /home/user/.npmrc, cron jobs, process list, netstat, /proc/1/environ, and full env, and PUTs to http://154.57.164.76:30728/api/modules/ECT-654321 (with a curl shell fallback). Both install.js and index.js gate execution on /^[0-9a-f]{12}$/.test(os.hostname()) — a Docker container ID regex — so the payload only fires inside containerized CI/CD environments and stays dormant on researcher sandboxes and developer laptops. publish-and-arm.sh labels the package manifest with ship_deck: "dependency-confusion" and cargo_hold: "verdaccio-proxy", confirming the package's purpose is to shadow an internal name on the public registry and harvest the victim's private registry credentials for follow-on attacks.

Source: ossf-package-analysis (0dade1c70e7e7f58c8f791931e5fe7cf7c40b68358173ed097b7dca6a4f4041d)

The OpenSSF Package Analysis project identified 'cursed-modules' @ 999.0.0 (npm) as malicious.

It is considered malicious because:

  • The package executes one or more commands associated with malicious behavior.
Database specific
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "sha256": "062c76f1699d4a5ac34e6ced908e6381201c55fc5e4bfc4950de6a5018ce2641",
            "id": "IN-MAL-2026-007806",
            "modified_time": "2026-06-30T20:57:41Z",
            "versions": [
                "999.0.0"
            ],
            "import_time": "2026-06-30T21:35:48.733047798Z"
        },
        {
            "source": "amazon-inspector",
            "sha256": "0a7db807a976b54ad8fe1246159e9ac2e5830671792d2ae8e388bf30435d36c3",
            "modified_time": "2026-06-30T20:58:06Z",
            "versions": [
                "999.0.3"
            ],
            "id": "IN-MAL-2026-007809",
            "import_time": "2026-06-30T21:35:49.072295236Z"
        },
        {
            "source": "amazon-inspector",
            "sha256": "3beee7aac731e010a82ced66e52d60705e5e41ff234f738fc2aaa9a7dc3f3835",
            "modified_time": "2026-06-30T20:58:13Z",
            "versions": [
                "999.0.1"
            ],
            "id": "IN-MAL-2026-007810",
            "import_time": "2026-06-30T21:35:49.224625294Z"
        },
        {
            "source": "amazon-inspector",
            "versions": [
                "999.0.2"
            ],
            "id": "IN-MAL-2026-007808",
            "modified_time": "2026-06-30T20:57:58Z",
            "sha256": "4617c39128e530a8ef5de0335557b42968b70f1115bf5c0b37a13adc6ebdec3e",
            "import_time": "2026-06-30T21:35:48.976787111Z"
        },
        {
            "source": "amazon-inspector",
            "sha256": "8acf5f6180c3b640662f33c1bfa7945d7a0cf30c3ae63fb4922a3d3b0bcb5068",
            "modified_time": "2026-06-30T20:57:51Z",
            "versions": [
                "2.0.0"
            ],
            "id": "IN-MAL-2026-007807",
            "import_time": "2026-06-30T21:35:48.834438581Z"
        },
        {
            "source": "ossf-package-analysis",
            "versions": [
                "999.0.0"
            ],
            "modified_time": "2026-06-30T20:38:12Z",
            "sha256": "0dade1c70e7e7f58c8f791931e5fe7cf7c40b68358173ed097b7dca6a4f4041d",
            "import_time": "2026-06-30T21:35:44.745873731Z"
        }
    ]
}
References
Credits

Affected packages

npm / cursed-modules

Package

Affected ranges

Affected versions

2.*
2.0.0
999.*
999.0.0
999.0.1
999.0.2
999.0.3

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cursed-modules/MAL-2026-6698.json"
indicators
{
    "evidence_files": [
        {
            "tlsh": "de51358baefed8227294b6a179a524077fd7d322225135a0386dd9c13bdc4f8017296b",
            "sha256": "2c0a716c7571c5ba887cc12c977cbd60f58527105b453927c4c2de23d6e39dde",
            "path": "install.js"
        },
        {
            "tlsh": "ed514097aaf999017196b5a1a89308577ed7c21321627590364ecad03fec4fc41b3cbf",
            "sha256": "91cedbe4944cd4e1bc6be8f6268714759b4107357403e1f4ab6983b24bea63a4",
            "path": "index.js"
        },
        {
            "tlsh": "70e182dc3eb0b81163b6c859b62a5051ee63f5d7242cfd10f4ac2a601f8c26571d67bb",
            "sha256": "5ba0821ccfeb4c40c15d18151bfa64508c8e3b71a1b2fbf3c7521131ab67b1c5",
            "path": "recon.js"
        },
        {
            "tlsh": "c211b582343170f7940ee657fc04233213f3b1e7612b7912a8ed21e827501f81278155",
            "sha256": "486db09a257efef1a2238ad89d8505c8f0bb0a2e2f377588bb3a6a10718abb76",
            "path": "publish-and-arm.sh"
        }
    ],
    "package_integrity": [
        {
            "filename": "cursed-modules-999.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-PBZ5KvRvdOPu9Ac/LOGHZ7F43e8Fmyi8bB02CASCgnDgbCMTLZBfXVSoNTbS/0wXDSJ4TzGieMjjQwoJAXveHA==",
                "sha1": "b2306dc78fef72d6494685e27bc188c903e5200b"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]