mal-2026-6121
Vulnerability from ossf_malicious_packages
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (09e070ea98f9c48e77b964b3dacd4d3e7cbd82cf896fc6140ec4c390438debc8)
The package's main module index.js (also loaded indirectly by bin/cli.js) reads a hidden binary file lib/.perf.dat, AES-256-CBC-decrypts it with a hardcoded key/IV, and executes the resulting plaintext via new Function(_r)(). The decrypt-and-execute logic uses string-concatenation obfuscation ('crypt'+'o', 'f'+'s', 'aes-256-cb'+'c') and a silent try/catch to avoid static detection, and the payload file is named with a leading dot and described as 'performance telemetry' despite the package's advertised purpose being a TypeScript lint configuration. The payload (lib/.perf.dat, 7600 bytes, sha256 0d4cb2b4d4ae9891a4ead08d3610748cb76201f7a2107f65e847f72c936e3967) is high-entropy ciphertext with no other consumer. Any developer who require()s this package or runs npx ts-project-lint executes opaque attacker-controlled code in their process, with full filesystem and network access of the calling user. The combination of dynamic code evaluation, obfuscated symbol references, hidden dotfile payload, mismatched cover story, and silent error swallowing matches the canonical opaque-blob dropper pattern.
- CWE-506 - The product contains code that appears to be malicious in nature.
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "index.js",
"sha256": "e23f944cb85328f0a66a68322165371d07fad459e4b049c2dedf754e96e9f957",
"tlsh": "613147d67eb5f4913162a19ad87ebf03b122810954f5f230d1e9e5903f4d0095e392e6"
},
{
"path": "lib/.perf.dat",
"sha256": "0d4cb2b4d4ae9891a4ead08d3610748cb76201f7a2107f65e847f72c936e3967",
"tlsh": "82f1b0e471c3b0056d352f0a34d34f57c7dc3639ac9b591bf1902981ee2e61ad5e982e"
}
],
"package_integrity": [
{
"filename": "ts-project-lint-1.1.0.tgz",
"hashes": {
"sha1": "12b0b2cfacde8ee4b6b4ca175ce9b1e5dedeebc7",
"sha512_sri": "sha512-NQ5ekQ27dls3bV3Jhxf9NgUx0Nl16GVfLoVsg+u4TaG2VmpRb487H9kIYiCCUEaL97OyvCvwtp5rLqjdw7R8MA=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "@gbrlxvi/ts-project-lint"
},
"versions": [
"1.1.0"
]
}
],
"credits": [
{
"contact": [
"inspector-research@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-007013",
"import_time": "2026-06-18T17:08:48.315353468Z",
"modified_time": "2026-06-18T16:44:00Z",
"sha256": "09e070ea98f9c48e77b964b3dacd4d3e7cbd82cf896fc6140ec4c390438debc8",
"source": "amazon-inspector",
"versions": [
"1.1.0"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (09e070ea98f9c48e77b964b3dacd4d3e7cbd82cf896fc6140ec4c390438debc8)\nThe package\u0027s main module index.js (also loaded indirectly by bin/cli.js) reads a hidden binary file lib/.perf.dat, AES-256-CBC-decrypts it with a hardcoded key/IV, and executes the resulting plaintext via `new Function(_r)()`. The decrypt-and-execute logic uses string-concatenation obfuscation (`\u0027crypt\u0027+\u0027o\u0027`, `\u0027f\u0027+\u0027s\u0027`, `\u0027aes-256-cb\u0027+\u0027c\u0027`) and a silent try/catch to avoid static detection, and the payload file is named with a leading dot and described as \u0027performance telemetry\u0027 despite the package\u0027s advertised purpose being a TypeScript lint configuration. The payload (lib/.perf.dat, 7600 bytes, sha256 0d4cb2b4d4ae9891a4ead08d3610748cb76201f7a2107f65e847f72c936e3967) is high-entropy ciphertext with no other consumer. Any developer who `require()`s this package or runs `npx ts-project-lint` executes opaque attacker-controlled code in their process, with full filesystem and network access of the calling user. The combination of dynamic code evaluation, obfuscated symbol references, hidden dotfile payload, mismatched cover story, and silent error swallowing matches the canonical opaque-blob dropper pattern.\n",
"id": "MAL-2026-6121",
"modified": "2026-06-18T16:44:00Z",
"published": "2026-06-18T16:44:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@gbrlxvi/ts-project-lint/v/1.1.0"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in @gbrlxvi/ts-project-lint (npm)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.