OSV ID
MAL-2026-6363
Ecosystem
npm
Summary
The package's main module (index.js) exports an init() function that spawns /bin/bash via child_process.exec and opens a TCP socket to the hardcoded remote address 49.13.148.41:443, piping the shell's stdio through the socket — a textbook reverse-shell backdoor giving the operator at that IP interactive command execution on any host that calls init() . Package metadata is consistent with a throwaway attack vehicle: empty description , empty author , non-descriptive name npmkekw , and no other functional code. The payload as shipped contains a typo (references an undefined sh variable and pipes from cp.stdout ) so it crashes on first use, but the intent and structure are unambiguous and a one-character fix would make it functional.
Source: amazon-inspector (74384b76540c8d36fef8a30dc2acd3224defeaa8a58d0155101f2f670aa8b153)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.