{"id":"MAL-2026-3752","summary":"Malicious code in cdp-core (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (dbf55b093e3a93e8d3f536101e62e09cf7e86636cd42813d02f518138cbcb8ed)\nThe package ships cdp_inject.js, which combines child_process, fs, http/https, and base64 encoding to gather system information and exfiltrate it over the network. The file imports http, https, fs, and child_process at the top, reads process.env.USER and other environment data, executes shell utilities (including ping for host reconnaissance), reads files via fs.readFileSync, base64-encodes the collected content (toString('base64') at L205 and L209), and posts it out via https.request/http.get with a hardcoded hostname and POST body. This is the canonical sysinfo+filesystem credential-stealer shape: the package's only on-load effect is to harvest installer-side data and ship it to a network destination. The package name (\"cdp-core\") and absence of any legitimate library functionality consistent with this code further indicate the file's purpose is exfiltration rather than a documented feature.\n","modified":"2026-05-15T07:52:30.016201Z","published":"2026-05-15T03:08:53Z","database_specific":{"malicious-packages-origins":[{"sha256":"c7363417d8658ee8f5fe919dca59c63eedf84d4b9b1023dffad3e9e7bf8e45f0","modified_time":"2026-05-15T03:08:53Z","versions":["1.0.6"],"id":"IN-MAL-2026-002809","source":"amazon-inspector","import_time":"2026-05-15T07:37:20.311931409Z"},{"sha256":"dbf55b093e3a93e8d3f536101e62e09cf7e86636cd42813d02f518138cbcb8ed","modified_time":"2026-05-15T03:11:53Z","versions":["1.0.4"],"id":"IN-MAL-2026-002812","source":"amazon-inspector","import_time":"2026-05-15T07:37:20.506605512Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/cdp-core/v/1.0.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/cdp-core/v/1.0.4"}],"affected":[{"package":{"name":"cdp-core","ecosystem":"npm","purl":"pkg:npm/cdp-core"},"versions":["1.0.6","1.0.4"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cdp-core/MAL-2026-3752.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-0sqZnup28jHgkVjrKUhw1KqpqX6URgwwx/R5yHWDEG9liuA4spcYYM9/UU1MZNRZkGyXWr+dE8G9jq9qpGMjLw==","sha1":"b9b0fda4d3f5e30caab94fb86ea20aa3dbf0563e"},"filename":"cdp-core-1.0.6.tgz"}],"evidence_files":[{"tlsh":"6c42a48aa5fb203584b7b0755b5ba8477239d013b140cea47e4c83951fc6dbc92b2bed","sha256":"40ffbf5006c5dd3c7977b4c8cf9dda01f978643f79fa86744faf5fbce669295a","path":"cdp_inject.js"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}