MAL-2026-6299
Vulnerability from ossf_malicious_packages
Published
2026-06-23 15:25
Modified
2026-06-23 19:42
Summary
Malicious code in analysis-chart (npm)
Details
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (a1ab4349bcc1e8f4434817d242b136f6e6050d4acb234aa833d81ffd74942066)
The package's postinstall hook (install-hook.js, invoked via package.json scripts.postinstall) fetches an opaque binary 'payload.bin' from https://github.com/Dimitrijenco/Sticky_note/releases/download/v6/payload.bin — a third-party GitHub release on an account unrelated to the package's claimed author. The downloaded bytes are XOR-decrypted with key 0x42, then loaded into the installer's process: kernel32.dll is loaded via koffi, RWX memory is allocated with VirtualAlloc, the decrypted PE is copied via RtlMoveMemory, VirtualProtect is applied, and CreateThread is started at the parsed PE entry point. This is in-memory shellcode/PE injection on Windows developer machines, executing arbitrary attacker-controlled native code on npm install. After launching the payload, install-hook.js writes a cleanup.js that, after a 3-second delay, runs cmd /c rmdir /s /q on the package folder, removes 'analysis-chart' from the host project's package.json, unlinks install-hook.js, and self-deletes — anti-forensic evidence removal so the developer cannot inspect what ran. The package's index.js exposes a plausible-looking chart statistics API (stats, outliers, trend, correlation, movingAverage, analyze) that is functionally unrelated to install-hook.js and serves as decoy cover; author metadata 'Elena Vogt elena@analysis-chart.io' and the referenced repo appear fabricated.
CWE
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
Credits
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "install-hook.js",
"sha256": "8ca2e876331c8fe62b290eb3f937cfedc8397c38ae7efd25b6c1d66c116b8ec0",
"tlsh": "0fe1658659a162255cb163ea8fa3941ae72b601332608394befdc3442f763548353eff"
},
{
"path": "package.json",
"sha256": "3b00be0de8a311058e3db90d06ca757e4b0be1f5619578c2d8cc42c2049dc79d",
"tlsh": "01014527ce41ce2b9af413a3586e4642f3111f1f10604c0b34fa143c0f371a2249af2a"
}
],
"package_integrity": [
{
"filename": "analysis-chart-2.0.14.tgz",
"hashes": {
"sha1": "f40908f97c2fb9c6c0c15787d0add463a1a13256",
"sha512_sri": "sha512-MpbDItvPmnyAFPI4H5OEUoP3VKhzM99XrCauT4VMe1MA/OBUcj9l3qJ8XmyJYyo1yxs72tgzBECArBtg6pRwXA=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "analysis-chart"
},
"versions": [
"2.0.14",
"2.0.16",
"2.0.11",
"2.0.13",
"2.0.17",
"2.0.18",
"2.0.8",
"2.0.10",
"2.0.19",
"2.0.12",
"2.0.9",
"2.0.15",
"2.0.22",
"2.0.25",
"2.0.24",
"2.0.23",
"2.0.28",
"2.0.26",
"2.0.27",
"2.0.21",
"2.0.20"
]
}
],
"credits": [
{
"contact": [
"inspector-research@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-007239",
"import_time": "2026-06-23T15:33:53.559016698Z",
"modified_time": "2026-06-23T15:25:10Z",
"sha256": "2864a2449901972e02d0001e4dc85625e22fe7fbb7059c2b47ca68e5f9e002af",
"source": "amazon-inspector",
"versions": [
"2.0.14"
]
},
{
"id": "IN-MAL-2026-007246",
"import_time": "2026-06-23T15:33:54.079690781Z",
"modified_time": "2026-06-23T15:25:20Z",
"sha256": "3a015269ceb39b2c14d5a2dcdd7d00221643abe796fe89ca19af031f2cce8589",
"source": "amazon-inspector",
"versions": [
"2.0.16"
]
},
{
"id": "IN-MAL-2026-007242",
"import_time": "2026-06-23T15:33:53.703122707Z",
"modified_time": "2026-06-23T15:25:13Z",
"sha256": "90b47ebcff30f2bc7800369c73519aef78a993951abb408d0417ac1a2d59cca4",
"source": "amazon-inspector",
"versions": [
"2.0.11"
]
},
{
"id": "IN-MAL-2026-007240",
"import_time": "2026-06-23T15:33:53.630750151Z",
"modified_time": "2026-06-23T15:25:11Z",
"sha256": "a1ab4349bcc1e8f4434817d242b136f6e6050d4acb234aa833d81ffd74942066",
"source": "amazon-inspector",
"versions": [
"2.0.13"
]
},
{
"id": "IN-MAL-2026-007238",
"import_time": "2026-06-23T15:33:53.476573252Z",
"modified_time": "2026-06-23T15:25:09Z",
"sha256": "abe7471c7d6dedda417f026350625e6c59fc1f9142e8581d2ddbf9271aa983f3",
"source": "amazon-inspector",
"versions": [
"2.0.17"
]
},
{
"id": "IN-MAL-2026-007237",
"import_time": "2026-06-23T15:33:53.447036448Z",
"modified_time": "2026-06-23T15:25:08Z",
"sha256": "c69d8529346ea8fdadddfe1bf7929b90d9e9fa2a05c341d009bc299d22359f28",
"source": "amazon-inspector",
"versions": [
"2.0.18"
]
},
{
"id": "IN-MAL-2026-007245",
"import_time": "2026-06-23T15:33:54.038419402Z",
"modified_time": "2026-06-23T15:25:15Z",
"sha256": "cead6a4f96bc1f11c12d7ae744f05efa942b7e01510f1140d03091d1fd9ac656",
"source": "amazon-inspector",
"versions": [
"2.0.8"
]
},
{
"id": "IN-MAL-2026-007243",
"import_time": "2026-06-23T15:33:53.75460268Z",
"modified_time": "2026-06-23T15:25:14Z",
"sha256": "69e73f44c410c45e3622ee2856bb39f8b215a62ed14e3f78e4bfd59d1c7f2636",
"source": "amazon-inspector",
"versions": [
"2.0.10"
]
},
{
"id": "IN-MAL-2026-007235",
"import_time": "2026-06-23T15:33:53.3601459Z",
"modified_time": "2026-06-23T15:25:06Z",
"sha256": "80b28a3207077cdcf31f46855f65b9a34b5e184621a48105a68d89626e2a2bfb",
"source": "amazon-inspector",
"versions": [
"2.0.19"
]
},
{
"id": "IN-MAL-2026-007241",
"import_time": "2026-06-23T15:33:53.66979825Z",
"modified_time": "2026-06-23T15:25:12Z",
"sha256": "a1df4a7199135c43ea62dee912d7817478433ca12b096c6e4338e5a1c7edf5fc",
"source": "amazon-inspector",
"versions": [
"2.0.12"
]
},
{
"id": "IN-MAL-2026-007244",
"import_time": "2026-06-23T15:33:53.856098514Z",
"modified_time": "2026-06-23T15:25:14Z",
"sha256": "de20339f52b63e70ca5a9ca47d746377b1e4c3d32f1299979da6a35e6d23e4b9",
"source": "amazon-inspector",
"versions": [
"2.0.9"
]
},
{
"id": "IN-MAL-2026-007236",
"import_time": "2026-06-23T15:33:53.395589309Z",
"modified_time": "2026-06-23T15:25:07Z",
"sha256": "ffa5d2e2f559fe28da7f21aeaa3705d96dac8a7f196f38adfa2b994ad3280030",
"source": "amazon-inspector",
"versions": [
"2.0.15"
]
},
{
"id": "IN-MAL-2026-007349",
"import_time": "2026-06-23T19:40:42.931714768Z",
"modified_time": "2026-06-23T19:37:52Z",
"sha256": "509b1ccb496a19e767ed8440a47063209afc32476929d37e4381db6f4e4ed98d",
"source": "amazon-inspector",
"versions": [
"2.0.22"
]
},
{
"id": "IN-MAL-2026-007343",
"import_time": "2026-06-23T19:40:42.289053813Z",
"modified_time": "2026-06-23T19:37:47Z",
"sha256": "6e159b8395f43bfb9b920b41eb74fe91195f38eecd111c86770af10452eb4cfc",
"source": "amazon-inspector",
"versions": [
"2.0.25"
]
},
{
"id": "IN-MAL-2026-007345",
"import_time": "2026-06-23T19:40:42.496384119Z",
"modified_time": "2026-06-23T19:37:48Z",
"sha256": "2712de0c6aff4ac7bfb9768bef35aba34a89bfd3c2d02cf553534da36c3c188b",
"source": "amazon-inspector",
"versions": [
"2.0.24"
]
},
{
"id": "IN-MAL-2026-007347",
"import_time": "2026-06-23T19:40:42.726236402Z",
"modified_time": "2026-06-23T19:37:50Z",
"sha256": "5b82aa5cd48a20ff8f3ff41cbc9bf0d4e28e4f66eab928340851fa56027aae32",
"source": "amazon-inspector",
"versions": [
"2.0.23"
]
},
{
"id": "IN-MAL-2026-007342",
"import_time": "2026-06-23T19:40:42.089566081Z",
"modified_time": "2026-06-23T19:37:46Z",
"sha256": "94911e79e5edbf1c5261beb41cf73f21abd36c826a17d6f36e068cfd339f620d",
"source": "amazon-inspector",
"versions": [
"2.0.28"
]
},
{
"id": "IN-MAL-2026-007344",
"import_time": "2026-06-23T19:40:42.383561523Z",
"modified_time": "2026-06-23T19:37:47Z",
"sha256": "af12c3ec91e4c40913086c5ffa64273b05123b20f45a772ce137d45dd2ecad43",
"source": "amazon-inspector",
"versions": [
"2.0.26"
]
},
{
"id": "IN-MAL-2026-007346",
"import_time": "2026-06-23T19:40:42.606943855Z",
"modified_time": "2026-06-23T19:37:49Z",
"sha256": "e2b0499237239c80cb1a3b4e34e11e17b4d8459f8294d55c068657f3082244d8",
"source": "amazon-inspector",
"versions": [
"2.0.27"
]
},
{
"id": "IN-MAL-2026-007350",
"import_time": "2026-06-23T19:40:43.035059761Z",
"modified_time": "2026-06-23T19:37:53Z",
"sha256": "edc5cdd3aa1b9005c0ab92628b519eac1d39354504816949d8a7984758fb37b0",
"source": "amazon-inspector",
"versions": [
"2.0.21"
]
},
{
"id": "IN-MAL-2026-007348",
"import_time": "2026-06-23T19:40:42.833907801Z",
"modified_time": "2026-06-23T19:37:51Z",
"sha256": "ee6e0c25c079ec0d01359f8f6104bf3ddb59921a39dae21fddd259d9f752e36f",
"source": "amazon-inspector",
"versions": [
"2.0.20"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a1ab4349bcc1e8f4434817d242b136f6e6050d4acb234aa833d81ffd74942066)\nThe package\u0027s postinstall hook (install-hook.js, invoked via package.json scripts.postinstall) fetches an opaque binary \u0027payload.bin\u0027 from https://github.com/Dimitrijenco/Sticky_note/releases/download/v6/payload.bin \u2014 a third-party GitHub release on an account unrelated to the package\u0027s claimed author. The downloaded bytes are XOR-decrypted with key 0x42, then loaded into the installer\u0027s process: kernel32.dll is loaded via koffi, RWX memory is allocated with VirtualAlloc, the decrypted PE is copied via RtlMoveMemory, VirtualProtect is applied, and CreateThread is started at the parsed PE entry point. This is in-memory shellcode/PE injection on Windows developer machines, executing arbitrary attacker-controlled native code on `npm install`. After launching the payload, install-hook.js writes a cleanup.js that, after a 3-second delay, runs `cmd /c rmdir /s /q` on the package folder, removes \u0027analysis-chart\u0027 from the host project\u0027s package.json, unlinks install-hook.js, and self-deletes \u2014 anti-forensic evidence removal so the developer cannot inspect what ran. The package\u0027s index.js exposes a plausible-looking chart statistics API (stats, outliers, trend, correlation, movingAverage, analyze) that is functionally unrelated to install-hook.js and serves as decoy cover; author metadata \u0027Elena Vogt \u003celena@analysis-chart.io\u003e\u0027 and the referenced repo appear fabricated.\n",
"id": "MAL-2026-6299",
"modified": "2026-06-23T19:42:37Z",
"published": "2026-06-23T15:25:06Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/analysis-chart/v/2.0.14"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/analysis-chart/v/2.0.16"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/analysis-chart/v/2.0.11"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/analysis-chart/v/2.0.13"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/analysis-chart/v/2.0.17"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/analysis-chart/v/2.0.18"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/analysis-chart/v/2.0.8"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/analysis-chart/v/2.0.10"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/analysis-chart/v/2.0.19"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/analysis-chart/v/2.0.12"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/analysis-chart/v/2.0.9"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/analysis-chart/v/2.0.15"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/analysis-chart/v/2.0.22"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/analysis-chart/v/2.0.25"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/analysis-chart/v/2.0.24"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/analysis-chart/v/2.0.23"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/analysis-chart/v/2.0.28"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/analysis-chart/v/2.0.26"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/analysis-chart/v/2.0.27"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/analysis-chart/v/2.0.21"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/analysis-chart/v/2.0.20"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in analysis-chart (npm)"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…