# [CRIT] [GHSA / CRITICAL] GHSA-27f5-xjrr-q9ff: Malware in @opensearch-project/opensearch **Source:** GitHub Security Advisories **Published:** 2026-05-19 **Article:** https://github.com/advisories/GHSA-27f5-xjrr-q9ff ## Threat Profile Malware in @opensearch-project/opensearch ## Overview The OpenSearch Project has sustained a security incident involving an external actor gaining force-push permissions within the project's CI infrastructure to embed malicious packages into four release versions of `@opensearch-project/opensearch`. Users are instructed to immediately take actions recommended in the **Remediation** section of this advisory. ## Affected Versions **Package**: `@opensearch-project/opensearch` | Version | Publi… ## Indicators of Compromise (high-fidelity only) - **Domain (defanged):** `api.masscan.cloud` - **Domain (defanged):** `git-tanstack.com` - **Domain (defanged):** `filev2.getsession.org` - **Domain (defanged):** `seed1.getsession.org` - **SHA256:** `ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c` - **SHA256:** `2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96` - **SHA256:** `7c12d8614c624c70d6dd6fc2ee289332474abaa38f70ebe2cdef064923ca3a9b` ## MITRE ATT&CK Techniques - **T1071** — Application Layer Protocol - **T1027** — Obfuscated Files or Information - **T1195.002** — Supply Chain Compromise: Compromise Software Supply Chain - **T1071.001** — Application Layer Protocol: Web Protocols - **T1041** — Exfiltration Over C2 Channel - **T1568** — Dynamic Resolution - **T1059.007** — Command and Scripting Interpreter: JavaScript - **T1546** — Event Triggered Execution ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### npm install of compromised @opensearch-project/opensearch versions 3.5.3/3.6.2/3.7.0/3.8.0 `UC_263_2` · phase: **delivery** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("npm.exe","npm-cli.js","node.exe","yarn.exe","pnpm.exe","npx.exe") OR Processes.parent_process_name IN ("npm.exe","node.exe","yarn.exe","pnpm.exe")) (Processes.process="*@opensearch-project/opensearch@3.5.3*" OR Processes.process="*@opensearch-project/opensearch@3.6.2*" OR Processes.process="*@opensearch-project/opensearch@3.7.0*" OR Processes.process="*@opensearch-project/opensearch@3.8.0*" OR (Processes.process="*@opensearch-project/opensearch*" AND Processes.process IN ("*install*","*add*","*ci*","*update*"))) by host Processes.user Processes.process Processes.parent_process_name Processes.process_hash | `drop_dm_object_name(Processes)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(30d) | where InitiatingProcessFileName in~ ("npm.exe","node.exe","yarn.exe","pnpm.exe","npx.exe","cmd.exe","powershell.exe","pwsh.exe","bash.exe") or FileName in~ ("npm.exe","node.exe","yarn.exe","pnpm.exe","npx.exe") | where ProcessCommandLine has "@opensearch-project/opensearch" or InitiatingProcessCommandLine has "@opensearch-project/opensearch" | extend MaliciousVersion = case( ProcessCommandLine has "@opensearch-project/opensearch@3.5.3" or InitiatingProcessCommandLine has "@opensearch-project/opensearch@3.5.3", "3.5.3", ProcessCommandLine has "@opensearch-project/opensearch@3.6.2" or InitiatingProcessCommandLine has "@opensearch-project/opensearch@3.6.2", "3.6.2", ProcessCommandLine has "@opensearch-project/opensearch@3.7.0" or InitiatingProcessCommandLine has "@opensearch-project/opensearch@3.7.0", "3.7.0", ProcessCommandLine has "@opensearch-project/opensearch@3.8.0" or InitiatingProcessCommandLine has "@opensearch-project/opensearch@3.8.0", "3.8.0", "unknown-version-of-affected-pkg") | extend InWindow = Timestamp between (datetime(2026-05-12T00:00:00Z) .. datetime(2026-05-12T10:00:00Z)) | project Timestamp, DeviceName, AccountName, InWindow, MaliciousVersion, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath | order by Timestamp desc ``` ### On-disk presence of malicious @opensearch-project/opensearch payload SHA256 `UC_263_3` · phase: **install** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_hash IN ("ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c","2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96","7c12d8614c624c70d6dd6fc2ee289332474abaa38f70ebe2cdef064923ca3a9b") by host Filesystem.user Filesystem.file_path Filesystem.file_name Filesystem.file_hash Filesystem.process_name | `drop_dm_object_name(Filesystem)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql let BadHashes = dynamic([ "ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c", "2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96", "7c12d8614c624c70d6dd6fc2ee289332474abaa38f70ebe2cdef064923ca3a9b"]); DeviceFileEvents | where Timestamp > ago(30d) | where SHA256 in (BadHashes) | project Timestamp, DeviceName, ActionType, FileName, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFolderPath | order by Timestamp desc ``` ### Mini Shai-Hulud / TeamPCP C2 beacon to api.masscan.cloud / git-tanstack.com / *.getsession.org `UC_263_4` · phase: **c2** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(DNS.query) as queries from datamodel=Network_Resolution.DNS where (DNS.query="*api.masscan.cloud" OR DNS.query="*git-tanstack.com" OR DNS.query="*filev2.getsession.org" OR DNS.query="*seed1.getsession.org") by host DNS.src DNS.query | `drop_dm_object_name(DNS)` | append [| tstats `summariesonly` count from datamodel=Web.Web where (Web.url="*api.masscan.cloud*" OR Web.url="*git-tanstack.com*" OR Web.url="*filev2.getsession.org*" OR Web.url="*seed1.getsession.org*") by host Web.src Web.url Web.user_agent | `drop_dm_object_name(Web)`] | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql let BadDomains = dynamic(["api.masscan.cloud","git-tanstack.com","filev2.getsession.org","seed1.getsession.org"]); DeviceNetworkEvents | where Timestamp > ago(30d) | where RemoteUrl has_any (BadDomains) or tostring(parse_url(RemoteUrl).Host) in~ (BadDomains) | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, RemoteUrl, RemoteIP, RemotePort, Protocol | order by Timestamp desc ``` ### Postinstall script execution from compromised @opensearch-project/opensearch package `UC_263_5` · phase: **install** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("node.exe","npm.exe","yarn.exe","pnpm.exe") (Processes.parent_process="*@opensearch-project/opensearch*" OR Processes.process="*node_modules\\@opensearch-project\\opensearch*" OR Processes.process="*node_modules/@opensearch-project/opensearch*") (Processes.process_name IN ("powershell.exe","pwsh.exe","cmd.exe","curl.exe","wget.exe","certutil.exe","bitsadmin.exe","bash.exe","sh.exe","node.exe") OR Processes.process IN ("*curl *","*wget *","*Invoke-WebRequest*","*DownloadString*","*-eval*","*Buffer.from*base64*")) by host Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(30d) | where InitiatingProcessFileName in~ ("node.exe","npm.exe","yarn.exe","pnpm.exe","npx.exe") | where (InitiatingProcessCommandLine has "@opensearch-project/opensearch" or InitiatingProcessCommandLine has "node_modules\\@opensearch-project\\opensearch" or InitiatingProcessCommandLine has "node_modules/@opensearch-project/opensearch") | where FileName in~ ("powershell.exe","pwsh.exe","cmd.exe","curl.exe","wget.exe","certutil.exe","bitsadmin.exe","bash.exe","sh.exe","node.exe") or ProcessCommandLine has_any ("Invoke-WebRequest","DownloadString","curl ","wget ","Buffer.from","child_process","eval(","http.get","https.request") | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Network connections to article IPs / domains** ([template](../_TEMPLATES.md#network-ioc)) — phase: **c2**, confidence: **High** - IP / domain IOC(s): `api.masscan.cloud`, `git-tanstack.com`, `filev2.getsession.org`, `seed1.getsession.org` - **File hash IOCs — endpoint file/process match** ([template](../_TEMPLATES.md#hash-ioc)) — phase: **install**, confidence: **High** - file hash IOC(s): `ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c`, `2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96`, `7c12d8614c624c70d6dd6fc2ee289332474abaa38f70ebe2cdef064923ca3a9b` ## Why this matters Severity classified as **CRIT** based on: IOCs present, 6 use case(s) fired, 8 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.