{"id":"MAL-2026-3764","summary":"Malicious code in glob-helper (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (091b8ee02b80a8a3fda11c15a6d0b8f657b639100244a4398d046ded5854eb64)\nglob-helper@1.0.2 is a malicious typosquat with no legitimate functionality. Its index.js is a stub; package.json declares `scripts.postinstall: node postinstall.js`, which fires automatically on `npm install`. postinstall.js performs three concurrent credential-theft operations and POSTs the results as JSON over plain HTTP to a hardcoded bare-IP C2 at http://149.28.127.35:8888:\n\n1. Reads ~/.npmrc (extracting _authToken and npm_* tokens), ~/.env (regex-matching NPM_TOKEN, NPM_AUTH_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, GITHUB_TOKEN), and ~/.git-credentials.\n2. Enumerates Chrome/Brave/Edge/Chromium/Vivaldi/Opera profile directories under ~/.config/*, walks `Local Extension Settings/\u003cwalletId\u003e` for a hardcoded list of 71 crypto-wallet extension IDs (MetaMask `nkbihfbeogaeaoehlefnkodbefgpgknn`, Phantom, Coinbase, Trust, Ledger Live, Trezor, etc.), and greps log contents for `vault`, `seed`, `mnemonic`, `privateKey`, `password`, `encrypted`.\n3. Walks ~/Documents, ~/Desktop, ~/Downloads for files whose names match `seed|backup|wallet|phrase|metamask|phantom|vault|key|private`, opens each, counts BIP39 wordlist matches, and includes file path + content preview in the exfil payload when 8+ BIP39 words are present.\n\nThe package.json keywords list `lodash` and the description is `Glob Helper utility helpers`, but index.js contains the author's own comment `lodash-js — Just a dummy module. The real payload is in postinstall.js`. Installing this package on any developer or CI machine leaks npm publish tokens, AWS keys, GitHub tokens, browser-stored wallet data, and any cryptocurrency seed backups present in the user's home directories.\n","modified":"2026-05-15T07:50:04.893412Z","published":"2026-05-14T19:25:10Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-15T07:37:17.20250508Z","sha256":"01930376eeb72450ef79dabbce9d88507e2ba93123f0356b95287fc674b72619","versions":["1.0.1"],"modified_time":"2026-05-14T19:25:11Z","source":"amazon-inspector","id":"IN-MAL-2026-002699"},{"import_time":"2026-05-15T07:37:20.809961887Z","sha256":"542fe088d2fee135e2cb5178360bdb390a963bd1be4dd816fb5d4dbd27b7ef87","versions":["1.0.0"],"modified_time":"2026-05-15T03:19:42Z","source":"amazon-inspector","id":"IN-MAL-2026-002817"},{"import_time":"2026-05-15T07:37:20.73044623Z","sha256":"74e3e047bbade54548ae02c0f98690df9a5c9392d94592600d71bc2e3de575e6","versions":["1.0.1"],"modified_time":"2026-05-15T03:19:17Z","source":"amazon-inspector","id":"IN-MAL-2026-002816"},{"import_time":"2026-05-15T07:37:20.897695285Z","sha256":"a5eda82b5edd6f7dc941f908a5d7d8b8dc76053f5bf141a97dbb9899c6de75cc","versions":["1.0.3"],"modified_time":"2026-05-15T03:20:47Z","source":"amazon-inspector","id":"IN-MAL-2026-002818"},{"import_time":"2026-05-15T07:37:17.312465531Z","sha256":"bf3e17ad2a01915e88251e0bb744239e1f1af4e8ed0f49ca2b0c433d9ef1814c","versions":["1.0.4"],"modified_time":"2026-05-14T19:25:12Z","source":"amazon-inspector","id":"IN-MAL-2026-002701"},{"import_time":"2026-05-15T07:37:17.429481838Z","sha256":"d2029b1bd45066f0e1f69d954404a7ad1480cceddc9850066c25519445fed1c4","versions":["2.0.0"],"modified_time":"2026-05-14T19:25:13Z","source":"amazon-inspector","id":"IN-MAL-2026-002703"},{"import_time":"2026-05-15T07:37:17.241357268Z","sha256":"091b8ee02b80a8a3fda11c15a6d0b8f657b639100244a4398d046ded5854eb64","versions":["1.0.2"],"modified_time":"2026-05-14T19:25:12Z","source":"amazon-inspector","id":"IN-MAL-2026-002700"},{"import_time":"2026-05-15T07:37:17.087257387Z","sha256":"2e4d100a1dc097212704ad4a8a071b2fa2b7aa6541181a5424cc013e2f7dfbf1","versions":["1.0.0"],"modified_time":"2026-05-14T19:25:10Z","source":"amazon-inspector","id":"IN-MAL-2026-002696"},{"import_time":"2026-05-15T07:37:17.365540983Z","sha256":"3ccf5efb2c9798c39005a553f2cc29d1541332cabee48e21916bed2d78ce2dd0","versions":["1.0.5"],"modified_time":"2026-05-14T19:25:13Z","source":"amazon-inspector","id":"IN-MAL-2026-002702"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/glob-helper/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/glob-helper/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/glob-helper/v/1.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/glob-helper/v/1.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/glob-helper/v/2.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/glob-helper/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/glob-helper/v/1.0.5"}],"affected":[{"package":{"name":"glob-helper","ecosystem":"npm","purl":"pkg:npm/glob-helper"},"versions":["1.0.1","1.0.0","1.0.3","1.0.4","2.0.0","1.0.2","1.0.5"],"database_specific":{"indicators":{"package_integrity":[{"filename":"glob-helper-1.0.1.tgz","hashes":{"sha1":"742a11d3c968ed8dcc757ff4ee60307d225637c5","sha512_sri":"sha512-PuxC/oS8mw63zwSquTonCH8JxU1OHJpOJSu7xfwNvfJkj7/RpLvlba/LvWQPCLNrZf81CuSKWG6UdNIQ7NLdxg=="}}],"evidence_files":[{"path":"postinstall.js","sha256":"6a5dffd7836eec6f4271dac9ba85466a40bc98ca2b7609172dfce52d0cb70246","tlsh":"f4a165d558a068145dab82e53747b020ae15e183370eddf0f74c0aa48fc0e69e5f3bda"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/glob-helper/MAL-2026-3764.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}