{"id":"MAL-2026-10099","summary":"Malicious code in polipoli-pak (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a8693677ff1f1f887c11d3b4f6ad3f1742c7eefd07b6b8cfabd6cfccc32bc48f)\nOn npm install, postinstall.js runs automatically and performs two unauthorized actions against the installer. First, it POSTs a JSON fingerprint of the installing machine — os.hostname(), os.userInfo().username, platform, arch, node version, cwd, INIT_CWD, npm user-agent, and the sorted list of every process.env variable name — to a hardcoded webhook.site canary URL (https://webhook.site/a428f027-90c9-45e2-acca-ffbb4ea86044) that the installer never configured. Second, it walks common project locations under INIT_CWD (index.html, public/index.html, src/index.html, dist/index.html, build/index.html) and rewrites each file via fs.writeFileSync to inject a fixed-position red banner div into the page body. The environment-variable name inventory reveals which credentials are present on the host, and the HTML rewrite silently modifies files the installer owns at install time.\n","modified":"2026-07-09T23:02:02.510826275Z","published":"2026-07-09T22:52:20Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-07-09T22:52:20Z","source":"amazon-inspector","import_time":"2026-07-09T22:56:36.883954615Z","versions":["1.0.1"],"id":"IN-MAL-2026-009585","sha256":"a8693677ff1f1f887c11d3b4f6ad3f1742c7eefd07b6b8cfabd6cfccc32bc48f"},{"modified_time":"2026-07-09T22:52:35Z","source":"amazon-inspector","id":"IN-MAL-2026-009587","versions":["1.0.2"],"sha256":"af550191d3d4cb2984b26cf7a5aba9ae8c003fa781008b7d7821110d4eefa62d","import_time":"2026-07-09T22:56:37.07679088Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/polipoli-pak/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/polipoli-pak/v/1.0.2"}],"affected":[{"package":{"name":"polipoli-pak","ecosystem":"npm","purl":"pkg:npm/polipoli-pak"},"versions":["1.0.1","1.0.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/polipoli-pak/MAL-2026-10099.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-rNxmFMVIYrd5sqNavgBJTZe9b9MENi6RuHLS0mOZ2gyiIyQEsDITvzGS/JYzT4uRNzHwHKQInCbCymzwjlL+/g==","sha1":"6d422b1d6d5a405abed6076b0ae3f4b25471df9d"},"filename":"polipoli-pak-1.0.2.tgz"}],"evidence_files":[{"path":"postinstall.js","tlsh":"bd71e9820e2442392ab629e053af6546e3b6d1014194f970f85ed0582fd12b4075bfee","sha256":"29514935dcc304a025ea79b7385998bcb040e067da03eeace456985a73125041"}]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}