{"id":"MAL-2026-3059","summary":"Malicious code in @clearpool/utils (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (81591bb660ad3ae2036615d00a3ff6960ccd2f36789a4f0df65a53ea7a557336)\npackage.json declares `preinstall` and `install` lifecycle hooks that collect installer-identifying data (`whoami`, `hostname`, `pwd`, `$npm_package_name`), base64-encode it, and transmit it to attacker-controlled infrastructure at `*.callback.m0chan.co.uk` via two independent channels: an HTTPS GET with the encoded payload in the URL path, and a DNS lookup embedding the encoded package name as a subdomain label (DNS-tunnel exfiltration to bypass HTTP egress filters). The package uses the `@clearpool` scope with version `99.99.99` and empty author metadata — classic dependency-confusion markers aimed at hijacking resolution of an internal package name within organizations that use this scope privately. Any developer or CI system running `npm install` with this package resolved will leak user, host, working directory, and the requested internal package name to the attacker, providing reconnaissance for follow-on targeted attacks.\n\n## Source: ossf-package-analysis (402b776bfcc2da45256da8475f7acaa61c2c1f9679e09f0409523062ffe3d823)\nThe OpenSSF Package Analysis project identified '@clearpool/utils' @ 99.99.99 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-05-13T20:22:38.436168Z","published":"2026-04-26T17:25:37Z","database_specific":{"malicious-packages-origins":[{"sha256":"b432a00368de0df939eba45db1d503e6e8c7540f17924d524a534026d2487ea8","versions":["9.9.9"],"modified_time":"2026-04-26T17:25:37Z","import_time":"2026-04-27T01:40:41.886648731Z","source":"ossf-package-analysis"},{"sha256":"aaf42d3e0422cdf2bd133cbfe2bad48be71bff1682908c0b740817555a83d4a9","versions":["9.9.9"],"modified_time":"2026-04-30T21:59:18Z","import_time":"2026-04-30T22:23:09.292226445Z","source":"amazon-inspector"},{"sha256":"402b776bfcc2da45256da8475f7acaa61c2c1f9679e09f0409523062ffe3d823","versions":["99.99.99"],"modified_time":"2026-05-03T12:37:45Z","import_time":"2026-05-04T03:13:23.513134014Z","source":"ossf-package-analysis"},{"sha256":"d7ef40ea20810d9e89d3d3998c64d7c1acf6dfdf5f9aafa8765a0c2ec4cfbe54","versions":["100.0.0"],"modified_time":"2026-05-04T13:20:40Z","import_time":"2026-05-04T23:49:24.952171956Z","source":"ossf-package-analysis"},{"sha256":"81591bb660ad3ae2036615d00a3ff6960ccd2f36789a4f0df65a53ea7a557336","versions":["99.99.99"],"import_time":"2026-05-13T20:10:56.665534762Z","modified_time":"2026-05-12T19:03:07Z","id":"IN-MAL-2026-002401","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@clearpool/utils/v/99.99.99"}],"affected":[{"package":{"name":"@clearpool/utils","ecosystem":"npm","purl":"pkg:npm/%40clearpool/utils"},"versions":["9.9.9","99.99.99","100.0.0"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"domains":["$pkgsub.callback.m0chan.co.uk"],"evidence_files":[{"sha256":"5f15d70e40687a733596bf143629b360ebdecaf16cef12052a92c7df34d4ea3a","path":"package.json","tlsh":"39115c601031de3139e04f781d00a72d75bc6baf323e7f45a20e5a2f001d165766f61a"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-mc9tFj/bZmwxRws5+RiRNuo4xWn+ZEdxddqpOXtgDwRGGCLAzYaCeG65OrIk/Pd/sFE2MxiEeQYpX5GjgeOeXw==","sha1":"a27ed0001e09a22295b08c0f1d0f27b54fa4fe44"},"filename":"utils-99.99.99.tgz"}],"urls":["https://$pkgsub.callback.m0chan.co.uk/$b64"]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@clearpool/utils/MAL-2026-3059.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}