{"id":"MAL-2026-3717","summary":"Malicious code in truffle-js (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (52bd5b41de871fbbc8c5895f63dfec08ba2ff6ecb9ea03fa6fdb5d9245c74616)\nThe package.json lifecycle script invokes require('child_process').execSync with a curl command at install time. Running curl through child_process during an npm install lifecycle hook causes any installer to execute remote content fetched over the network, without consent, as soon as `npm install` runs. The package name also resembles the widely-used 'truffle' Ethereum development toolkit, consistent with a typosquat lure. There is no legitimate reason for a small utility package to shell out to curl from its package.json install hook.\n\n## Source: ossf-package-analysis (c190460255cf713f1797bacece635079c6d3db6a45a58199af29ab1acc9faa2f)\nThe OpenSSF Package Analysis project identified 'truffle-js' @ 2.0.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-05-15T07:51:34.946644Z","published":"2026-05-13T12:10:40Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-13T12:10:40Z","versions":["2.0.0"],"sha256":"c190460255cf713f1797bacece635079c6d3db6a45a58199af29ab1acc9faa2f","source":"ossf-package-analysis","import_time":"2026-05-13T21:58:23.402650301Z"},{"versions":["1.0.0"],"modified_time":"2026-05-14T19:25:11Z","id":"IN-MAL-2026-002697","sha256":"52bd5b41de871fbbc8c5895f63dfec08ba2ff6ecb9ea03fa6fdb5d9245c74616","source":"amazon-inspector","import_time":"2026-05-15T07:37:17.1304792Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/truffle-js/v/1.0.0"}],"affected":[{"package":{"name":"truffle-js","ecosystem":"npm","purl":"pkg:npm/truffle-js"},"versions":["2.0.0","1.0.0"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha1":"57e6d2e75c1ee988439119fab5d3180c1e22b434","sha512_sri":"sha512-CdgVp4qkSZog1dpdY5FedOYEvppGwsIeJVdTpQGTVWKq87lFLYp7POTSCy2CpTImIByMmujBRhMQw4Wd7q1/DQ=="},"filename":"truffle-js-1.0.0.tgz"}],"evidence_files":[{"tlsh":"34f09e14ef1015b314c15e560e175dce5177892740547c64a25f911c839c7fb28ff51a","path":"package.json","sha256":"7744b7d6043dca4f06bedcfd7f313659f70789148878128668a7847c44d97f7a"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/truffle-js/MAL-2026-3717.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}