npm · Malicious package advisory
Malware@kedem/okdb
MAL-2026-4399
Malicious code in @kedem/okdb (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (cfce9a94c70e54caff77645f380418abda1bb1a38ad9cda61f6fbeaa482e2fed) The package's CLI entry point at bin/okdb.js is a heavily obfuscated single-line bundle (hex-mangled symbols like _0x2a69e2/_0x5d02f6) that constructs HTTP POST requests to a hardcoded host (node-a.example.com) while reading process.env values and invoking 'ping' commands. The combination of (a) hex-obfuscated variable naming consistent with deliberate concealment, (b) a hardcoded remote POST destination embedded directly in the bundle, and (c) process.env reads adjacent to the network call inside the same obfuscated scope is the canonical command-and-control / environment-exfiltration shape. The bin entry runs whenever an installer invokes the CLI, transmitting host and environment data to the attacker-controlled endpoint. A second file okdb.js at the package root contains additional hardcoded POST patterns reinforcing the same network behavior.
Compromised versions (1)
- 1.8.3
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.