MAL-2026-5569
Vulnerability from ossf_malicious_packages
Published
2026-06-11 04:49
Modified
2026-06-11 05:42
Summary
Malicious code in js-crypto-promise (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a9d677e45bee46911d04564e9260f4b569119a4ca0a13a58bcd43760359fbb4f)

The package's prepinstall.js script base64-decodes a hidden URL (stored in a constant misleadingly named HASH_KEY decoding to https://jsonkeeper.com/b/DWNFF, an anonymous paste service), fetches the JSON body via axios, reads the .cache field, and pipes the contents into a detached node child process via stdin: const child = spawn('node', [], { detached: true, stdio: ['pipe', 'ignore', 'ignore'] }); child.stdin.write(k1);. This dropper fires automatically on npm install via scripts.postinstall. To defeat the --ignore-scripts mitigation, index.js also wraps a dynamic import('./prepinstall.js') inside a top-level IIFE, so any consumer that require('js-crypto-promise') re-triggers the same remote fetch and execution. The payload host is mutable, anonymous, unpinned, and unverified — the package author can swap in arbitrary code at any time. The package name impersonates the legitimate crypto-promise package: the README copies the real package's example code and embeds the real package's npm badge link, and the homepage points at the legitimate maintainer's GitHub repo. Installer impact: any npm install or require() of this package executes attacker-controlled Node.js code on the installer's machine.

CWE
  • CWE-506 - The product contains code that appears to be malicious in nature.
Credits
Amazon Inspector inspector-research@amazon.com
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "cwes": [
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          }
        ],
        "indicators": {
          "domains": [
            "jsonkeeper.com"
          ],
          "evidence_files": [
            {
              "path": "prepinstall.js",
              "sha256": "e7c772a541f61ef9cd7b77f1d6f2d216faa593b0348cf76f483df6ea873c2335",
              "tlsh": "8ee0225f3677ab7d2f700ed4983286764d12a020f6c2e5e0a50a80176a8b78a114bfe8"
            },
            {
              "path": "package.json",
              "sha256": "13aae5311a4162d7847e0be6ff1545db0a994dd8fe2d3e911617a9055fc2589f",
              "tlsh": "f9016896cc68d8672bc421f26c7e110bf62048474919fc0a73c7860c0b8e8ab01bc26d"
            },
            {
              "path": "index.js",
              "sha256": "72c465459ec2b1ccce5cee1a8357a218107a7da7198a3c396acdc3ac5abc51e5",
              "tlsh": "6b01d8497efcf0d703d1a0d7453bfb81ed92b0a3b2008b65938bea5cc5e1168c93a594"
            }
          ],
          "package_integrity": [
            {
              "filename": "js-crypto-promise-1.0.1.tgz",
              "hashes": {
                "sha1": "16cb9ac29c00ff5c1a9412f8039643867e91b65d",
                "sha512_sri": "sha512-7zhn4EGpns+43OCWvRZZKU6cb4FxdF+nMHPYduQ1qyu+WWd5cJ3u3PvQSyuyVEV7D4JT15QgZSTaKtqhAOPWEA=="
              }
            }
          ]
        }
      },
      "package": {
        "ecosystem": "npm",
        "name": "js-crypto-promise"
      },
      "versions": [
        "1.0.1"
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "inspector-research@amazon.com"
      ],
      "name": "Amazon Inspector",
      "type": "FINDER"
    }
  ],
  "database_specific": {
    "malicious-packages-origins": [
      {
        "id": "IN-MAL-2026-005480",
        "import_time": "2026-06-11T05:40:59.001689617Z",
        "modified_time": "2026-06-11T04:49:31Z",
        "sha256": "0f5a7a6c89bed501873fcf3ed3eee38f5198ef5224d71038324f3543380feb5e",
        "source": "amazon-inspector",
        "versions": [
          "1.0.1"
        ]
      },
      {
        "id": "IN-MAL-2026-005479",
        "import_time": "2026-06-11T05:40:58.904783131Z",
        "modified_time": "2026-06-11T04:49:31Z",
        "sha256": "a9d677e45bee46911d04564e9260f4b569119a4ca0a13a58bcd43760359fbb4f",
        "source": "amazon-inspector",
        "versions": [
          "1.0.1"
        ]
      }
    ]
  },
  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a9d677e45bee46911d04564e9260f4b569119a4ca0a13a58bcd43760359fbb4f)\nThe package\u0027s `prepinstall.js` script base64-decodes a hidden URL (stored in a constant misleadingly named `HASH_KEY` decoding to https://jsonkeeper.com/b/DWNFF, an anonymous paste service), fetches the JSON body via axios, reads the `.cache` field, and pipes the contents into a detached `node` child process via stdin: `const child = spawn(\u0027node\u0027, [], { detached: true, stdio: [\u0027pipe\u0027, \u0027ignore\u0027, \u0027ignore\u0027] }); child.stdin.write(k1);`. This dropper fires automatically on `npm install` via `scripts.postinstall`. To defeat the `--ignore-scripts` mitigation, `index.js` also wraps a dynamic `import(\u0027./prepinstall.js\u0027)` inside a top-level IIFE, so any consumer that `require(\u0027js-crypto-promise\u0027)` re-triggers the same remote fetch and execution. The payload host is mutable, anonymous, unpinned, and unverified \u2014 the package author can swap in arbitrary code at any time. The package name impersonates the legitimate `crypto-promise` package: the README copies the real package\u0027s example code and embeds the real package\u0027s npm badge link, and the homepage points at the legitimate maintainer\u0027s GitHub repo. Installer impact: any `npm install` or `require()` of this package executes attacker-controlled Node.js code on the installer\u0027s machine.\n",
  "id": "MAL-2026-5569",
  "modified": "2026-06-11T05:42:58Z",
  "published": "2026-06-11T04:49:31Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/js-crypto-promise/v/1.0.1"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in js-crypto-promise (npm)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.