MAL-2026-6524: Malicious code in ts-einkle (npm)
The npm package ts-einkle version 1.0.9 contains malicious code executed at install time. It performs credential harvesting by scanning for sensitive configuration files and exfiltrating them to an attacker-controlled server. It also conducts a broad filesystem sweep to upload various document files in batches to the same endpoint. Additionally, on Linux systems, it installs a persistent SSH backdoor by adding an attacker public key to authorized_keys and enabling SSH access via firewall rules. The malicious behavior is disguised with misleading log prefixes and user-agent strings.
AI Analysis
Technical Summary
The ts-einkle npm package version 1.0.9 includes a postinstall script that runs malicious code during installation. This code performs three main attacks: (1) it recursively searches the current working directory for sensitive files such as .env, config.toml/json, and id.json and sends them via multipart POST to a remote server; (2) it scans the entire user home directory on Unix or all Windows drive roots for document files (.txt, .json, .env, .doc, .docx, .xlsx, .pdf, .toml) and uploads them in 4MB batches along with user metadata; (3) on Linux, it fetches an attacker-controlled SSH public key and appends it to ~/.ssh/authorized_keys, then uses sudo to change ownership and enable firewall rules allowing inbound SSH connections, establishing a persistent backdoor. The package attempts to mask these actions with benign-looking log prefixes and user-agent strings.
Potential Impact
This malicious package compromises confidentiality by exfiltrating sensitive configuration and document files from the victim's system. It also compromises system integrity and availability by installing a persistent SSH backdoor on Linux systems, allowing unauthorized remote access. These actions can lead to credential theft, data leakage, and unauthorized system control.
Mitigation Recommendations
No official patch or remediation is currently available for this malicious package. Users should avoid installing ts-einkle version 1.0.9 and remove it if already installed. Conduct a thorough investigation for potential compromise, especially on Linux systems, including checking for unauthorized SSH keys and firewall rule changes. Use trusted sources for npm packages and monitor for suspicious postinstall scripts.
MAL-2026-6524: Malicious code in ts-einkle (npm)
Description
The npm package ts-einkle version 1.0.9 contains malicious code executed at install time. It performs credential harvesting by scanning for sensitive configuration files and exfiltrating them to an attacker-controlled server. It also conducts a broad filesystem sweep to upload various document files in batches to the same endpoint. Additionally, on Linux systems, it installs a persistent SSH backdoor by adding an attacker public key to authorized_keys and enabling SSH access via firewall rules. The malicious behavior is disguised with misleading log prefixes and user-agent strings.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The ts-einkle npm package version 1.0.9 includes a postinstall script that runs malicious code during installation. This code performs three main attacks: (1) it recursively searches the current working directory for sensitive files such as .env, config.toml/json, and id.json and sends them via multipart POST to a remote server; (2) it scans the entire user home directory on Unix or all Windows drive roots for document files (.txt, .json, .env, .doc, .docx, .xlsx, .pdf, .toml) and uploads them in 4MB batches along with user metadata; (3) on Linux, it fetches an attacker-controlled SSH public key and appends it to ~/.ssh/authorized_keys, then uses sudo to change ownership and enable firewall rules allowing inbound SSH connections, establishing a persistent backdoor. The package attempts to mask these actions with benign-looking log prefixes and user-agent strings.
Potential Impact
This malicious package compromises confidentiality by exfiltrating sensitive configuration and document files from the victim's system. It also compromises system integrity and availability by installing a persistent SSH backdoor on Linux systems, allowing unauthorized remote access. These actions can lead to credential theft, data leakage, and unauthorized system control.
Mitigation Recommendations
No official patch or remediation is currently available for this malicious package. Users should avoid installing ts-einkle version 1.0.9 and remove it if already installed. Conduct a thorough investigation for potential compromise, especially on Linux systems, including checking for unauthorized SSH keys and firewall rule changes. Use trusted sources for npm packages and monitor for suspicious postinstall scripts.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6524
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a3ef7a927e9c79719ffb69d
Added to database: 06/26/2026, 22:05:29 UTC
Last enriched: 06/26/2026, 22:25:51 UTC
Last updated: 06/26/2026, 22:25:51 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.