{"id":"MAL-2026-3751","summary":"Malicious code in cache-poisoning-pwn-demo (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (dacd21af4f62dd3183bfc4126d1cbcf18600a1c72301b7ae8ca401ec7e44f94e)\nThe package's postinstall hook (`node -e \"try { require('./dist/postinstall.js'); } catch(e) {}\"`) loads dist/postinstall.js, which bundles a poisoned is-number module whose top-level IIFE unconditionally calls `child_process.exec` with a platform-specific command: `open -a Calculator` on macOS, `calc.exe` on Windows, `gnome-calculator`/`xcalc` on Linux. The same IIFE is also present in dist/index.js (the package's `main` entry), so any consumer that does `require('cache-poisoning-pwn-demo')` or `import`s it will also spawn a child process with no user consent. The package self-describes as a supply-chain attack demonstration. While today's payload spawns only a calculator, the mechanism is a fully functional install-time and import-time arbitrary-command executor: any installer running `npm install` or any downstream library that transitively requires this package will execute the hardcoded command in the installer's context. The calculator is a demonstration payload; the delivery primitive is a real attack.\n","modified":"2026-05-15T07:52:29.324204Z","published":"2026-05-14T19:25:08Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-14T19:25:10Z","sha256":"9a3d8f969f5fc981e4dcfeb1bef645e7ec18249943178fb845327d60ec8bc9d7","import_time":"2026-05-15T07:37:17.006181729Z","id":"IN-MAL-2026-002694","versions":["0.1.29"],"source":"amazon-inspector"},{"modified_time":"2026-05-14T19:25:08Z","sha256":"9c0bd2fe45166c1ea21732e716ad9cad37c7764d5cff37f0a488c71675c37126","import_time":"2026-05-15T07:37:16.852935068Z","id":"IN-MAL-2026-002692","versions":["0.1.27"],"source":"amazon-inspector"},{"modified_time":"2026-05-14T19:25:09Z","sha256":"dacd21af4f62dd3183bfc4126d1cbcf18600a1c72301b7ae8ca401ec7e44f94e","import_time":"2026-05-15T07:37:16.955866089Z","id":"IN-MAL-2026-002693","versions":["0.1.28"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/cache-poisoning-pwn-demo/v/0.1.29"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/cache-poisoning-pwn-demo/v/0.1.27"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/cache-poisoning-pwn-demo/v/0.1.28"}],"affected":[{"package":{"name":"cache-poisoning-pwn-demo","ecosystem":"npm","purl":"pkg:npm/cache-poisoning-pwn-demo"},"versions":["0.1.29","0.1.27","0.1.28"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha1":"09d8cc855a99ace23648aa6508bd243d46f4d4b3","sha512_sri":"sha512-Dxn9iDu83fEU35Tbz89eKKfP9UuhD0uCsENLAIrIrXqGVSO1SlXr4g28vzWhKgdlviRp0MfVyhd9KBR6oCv2rA=="},"filename":"cache-poisoning-pwn-demo-0.1.29.tgz"}],"evidence_files":[{"sha256":"cbd121fe9123f2dc6fbc4dddfd1f407dc86e2f3f435beb0ddd406550b06bd622","tlsh":"043166c1c8fe15b297266164e58b900338b6c512425cf688b63c22f3dfd606c45f99bb","path":"dist/postinstall.js"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cache-poisoning-pwn-demo/MAL-2026-3751.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}