{"id":"MAL-2026-3756","summary":"Malicious code in cheerio-tool (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (2d51a2885f4eaff732d1ef7ab065b04d21c59263b1212d5b92b92c87914ef879)\ncheerio-tool typosquats the popular `cheerio` HTML parser (README claims 'Cheerio Tool utility helpers', keywords are 'lodash','utilities', and index.js self-describes as 'lodash-js — Just a dummy module. The real payload is in postinstall.js'). On `npm install`, the declared postinstall script `node postinstall.js` runs a credential harvester and crypto-wallet scanner. It reads installer secret files including `~/.npmrc`, `~/.env`, and `~/.git-credentials`, extracts npm auth tokens (`_authToken`, `npm_[A-Za-z0-9]{36}`), API keys, database URLs, AWS/GCP cloud credentials, payment keys, and webhook secrets. It enumerates Chrome, Brave, Edge, Chromium, Vivaldi, and Opera profile directories, iterates `Local Extension Settings/\u003cwallet-id\u003e` against 71 hardcoded browser wallet extension IDs (MetaMask `nkbihfbeogaeaoehlefnkodbefgpgknn`, Phantom, Coinbase, Trust, Ledger, Trezor, etc.), and regex-matches vault, mnemonic, seed phrase, private key, and encrypted-blob material from the LevelDB `.log` files. It additionally scans `~/Documents`, `~/Desktop`, and `~/Downloads` for files matching seed/backup/wallet/phrase/crypto/metamask/phantom/vault/key/private and checks contents against BIP-39 wordlists. Collected data is bundled with hostname and username and POSTed to hardcoded `http://149.28.127.35:8888` (plain HTTP, bare IPv4, overridable via `C2_URL` env var). The source self-identifies as 'Token harvester + Crypto wallet scanner — Runs on npm install. Silent. Zero trace.' Any developer or CI system that installs this package loses their npm publish token, project environment secrets, git credentials, and browser-resident cryptocurrency wallet seed phrases.\n","modified":"2026-05-15T07:52:46.954029Z","published":"2026-05-14T19:24:51Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.4"],"source":"amazon-inspector","sha256":"085d4e53d556a496d4d5295afbdf94d97c4e361e84486c19f3095de48363375d","modified_time":"2026-05-14T19:24:51Z","import_time":"2026-05-15T07:37:15.490402313Z","id":"IN-MAL-2026-002657"},{"versions":["1.0.3"],"source":"amazon-inspector","sha256":"2d51a2885f4eaff732d1ef7ab065b04d21c59263b1212d5b92b92c87914ef879","modified_time":"2026-05-14T19:24:51Z","import_time":"2026-05-15T07:37:15.436068273Z","id":"IN-MAL-2026-002656"},{"versions":["1.0.5"],"source":"amazon-inspector","sha256":"e181c3d755ca04ad5d20706f0e3461d1d7c3e17f91f34c7f5d90819bcf255b82","modified_time":"2026-05-14T19:24:52Z","import_time":"2026-05-15T07:37:15.554392041Z","id":"IN-MAL-2026-002658"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/cheerio-tool/v/1.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/cheerio-tool/v/1.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/cheerio-tool/v/1.0.5"}],"affected":[{"package":{"name":"cheerio-tool","ecosystem":"npm","purl":"pkg:npm/cheerio-tool"},"versions":["1.0.4","1.0.3","1.0.5"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-CbrJsbjEuVvRYDeEUOO/nHHL3r68ZjWAK2JwOFlC8Xz/1VVWdiidFrkpdZ/NIVgCBzpAKjLKDN/OQBe1qxKcYg==","sha1":"39d571d10289f83ff52e84b4ff8584510e87c75a"},"filename":"cheerio-tool-1.0.4.tgz"}],"evidence_files":[{"tlsh":"0452e994aaa9021c596382bbd75775b40499e90b35c1e8b4f78f03489f0974d2ef33bb","path":"postinstall.js","sha256":"6ac41974ce61de899439008088ad972e7ab2ac161b3abf61fcd6796f28a941d9"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cheerio-tool/MAL-2026-3756.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}