{"id":"MAL-2026-3765","summary":"Malicious code in joi-pack (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (5ca38e3574ffcb0fabb105616e28108137c8256e2c70aeede59623bca5df496a)\nThe package declares a postinstall hook (`\"postinstall\": \"node postinstall.js\"` in package.json) that runs unconditionally on `npm install`. The script's own header calls itself a \"Token harvester + Crypto wallet scanner / Runs on npm install. Silent. Zero trace.\" It performs two distinct credential-theft behaviors:\n\n1) Installer secret harvest: reads `~/.npmrc`, `~/.env`, and `~/.git-credentials`; extracts npm auth tokens (regex `npm_[a-zA-Z0-9]{36}`), API keys, database URLs, cloud credentials, EVM private keys (`0x[a-fA-F0-9]{64}`), and git credentials; POSTs the JSON result to the hardcoded bare-IP endpoint `http://149.28.127.35:8888` over plain HTTP (configurable only via `C2_URL` env).\n\n2) Crypto wallet stealer: enumerates 71 hardcoded Chrome/Brave/Edge/Firefox wallet extension IDs (MetaMask `nkbihfbeogaeaoehlefnkodbefgpgknn`, Phantom `bfnaelmomeimhlpmgjnjophhpkkoljpa`, Coinbase, Trust, Ledger, etc.), walks browser profile `Local Extension Settings/\u003cwalletId\u003e` LevelDB `.log` files matching regex for `vault`, `mnemonic`, `seed`, `privateKey`, `password`, `encrypted`, and recursively scans `~/Documents`, `~/Desktop`, `~/Downloads`, `~/OneDrive`, `~/Dropbox`, `~/Google Drive`, `~/backup`, `~/keys`, `~/wallet`, `~/crypto` for seed-phrase and keystore files, exfiltrating hits to the same C2.\n\nThe package's advertised purpose (`keywords: [lodash, utilities]`, description \"Lodash JavaScript utilities bundle\", internal name `lodash-js`) does not match the name `joi-pack` and does not match the payload — `index.js` is an explicit stub (\"Just a dummy module. The real payload is in postinstall.js\"). Name and keywords are cover-story framing piggybacking on the popular `joi` and `lodash` packages.\n","modified":"2026-05-15T07:48:34.131686Z","published":"2026-05-14T19:25:32Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.4"],"source":"amazon-inspector","sha256":"3caea54cdc5f9f780e43fbc5cab85bda8c3f7ee37b565296c18db6713f99c794","import_time":"2026-05-15T07:37:18.540208109Z","id":"IN-MAL-2026-002733","modified_time":"2026-05-14T19:25:33Z"},{"versions":["1.0.5"],"source":"amazon-inspector","sha256":"5ca38e3574ffcb0fabb105616e28108137c8256e2c70aeede59623bca5df496a","import_time":"2026-05-15T07:37:18.585310981Z","id":"IN-MAL-2026-002734","modified_time":"2026-05-14T19:25:33Z"},{"versions":["1.0.3"],"source":"amazon-inspector","sha256":"dfc3730af0bd203e8c642cd12bd2a6cf4f0ba892e633e58781dfade6db085063","import_time":"2026-05-15T07:37:18.462166601Z","id":"IN-MAL-2026-002732","modified_time":"2026-05-14T19:25:32Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/joi-pack/v/1.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/joi-pack/v/1.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/joi-pack/v/1.0.3"}],"affected":[{"package":{"name":"joi-pack","ecosystem":"npm","purl":"pkg:npm/joi-pack"},"versions":["1.0.4","1.0.5","1.0.3"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/joi-pack/MAL-2026-3765.json","cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"package_integrity":[{"filename":"joi-pack-1.0.4.tgz","hashes":{"sha1":"59d723ef4f38726fcf849a50ac9d87a9ae9fde10","sha512_sri":"sha512-K2ozPUo6VUxVKtX42CwyLRIzYJZYSBM8JLbL9sOKre+UuYSf/KCWJAOIRBAKna2FNpctF5Z8GBYl+E0Sy0QFYQ=="}}],"evidence_files":[{"tlsh":"0452e994aaa9021c596382bbd75775b40499e90b35c1e8b4f78f03489f0974d2ef33bb","sha256":"6ac41974ce61de899439008088ad972e7ab2ac161b3abf61fcd6796f28a941d9","path":"postinstall.js"},{"tlsh":"66d022004d38f25725678257eb21ca566fe05b8c12258110098e8b80860ab0cc43aae4","sha256":"5efe7ef267152e45c516d2b928ae01d731e9fccf641cf90512ad95b6e4ad98ac","path":"index.js"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}