{"id":"MAL-2026-3682","summary":"Malicious code in @chahuadev/junk-sweeper-app (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3d446150767f92344d8d0a699f5879bd746200fb8beb60554408699868f03d51)\nThe package's postinstall script (package.json line 10: \"postinstall\": \"node install.js\") unconditionally fetches a platform-native executable from https://pub-419d22521da042dfb27d1f404b3eb8a6.r2.dev/Junk-Sweeper.exe or /Junk-Sweeper.AppImage, writes it into the package's bin/ directory, and chmods it 0755 on Linux (install.js lines 10, 14-22, 30-67). No SHA-256, signature, or size verification is performed, and HTTP redirects are followed blindly. The package's bin entrypoint (index.js line 32) then spawnSync's the downloaded binary with the user's argv and inherited stdio, giving the bucket owner a persistent, mutable remote-code-execution channel into any installer machine. The hosting domain is an opaque object-storage bucket, not a versioned release artifact from a transparent source (GitHub Releases with tag pinning, npm registry, etc.). Whether or not the current binary contents are malicious, the delivery mechanism allows the content to be swapped at any time without any version change to the npm package.\n","modified":"2026-05-13T20:22:33.302570Z","published":"2026-05-12T07:42:45Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-002219","import_time":"2026-05-13T20:10:53.796741355Z","modified_time":"2026-05-12T19:03:07Z","sha256":"3d446150767f92344d8d0a699f5879bd746200fb8beb60554408699868f03d51","source":"amazon-inspector","versions":["2.0.3"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@chahuadev/junk-sweeper-app/v/2.0.3"}],"affected":[{"package":{"name":"@chahuadev/junk-sweeper-app","ecosystem":"npm","purl":"pkg:npm/%40chahuadev/junk-sweeper-app"},"versions":["2.0.3"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"urls":["https://pub-419d22521da042dfb27d1f404b3eb8a6.r2.dev/Junk-Sweeper.exe"],"domains":["pub-419d22521da042dfb27d1f404b3eb8a6.r2.dev"],"evidence_files":[{"path":"install.js","sha256":"249a56c3a611a1e0f2000dea71b2cce5c6a6c7d3f68e6b747d1b6a53ed2a9aa8","tlsh":"12511e5d1ef3a12442b6c0c96a8f853bb95ec0132209da4db4ec83597fd1a24c685eef"}],"package_integrity":[{"filename":"junk-sweeper-app-2.0.3.tgz","hashes":{"sha1":"ed8178bea6e9714bbfbce8a4c75accb3c2a512dc","sha512_sri":"sha512-JgU8P+pUCZgEj1bsNG/Axg9cOw28X0rOknaKHs5rqgqeLxWzUorOdsnWczVmrAYq3FyFwhBDFm1X6GNeMPGoYw=="}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@chahuadev/junk-sweeper-app/MAL-2026-3682.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}