{"id":"MAL-2026-3766","summary":"Malicious code in nock-helper (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d1070514eba7a5f0fedc2760db7710399d38e070d98dc99910d3b49923959820)\nThe package declares `scripts.postinstall: node postinstall.js`, which runs automatically on `npm install`. The script is an explicit credential harvester and crypto-wallet stealer. It reads `~/.npmrc` (npm `_authToken` and `npm_*` tokens), `~/.env` (scraping keys matching TOKEN/API_KEY/DB_URL/PAYMENT/CLOUD/EMAIL/WEBHOOK patterns), and `~/.git-credentials`. It then enumerates Chrome, Brave, Edge, Chromium, Vivaldi, and Opera browser profile directories (`Default`, `Profile 1`, `Profile 2`) reading `Local Extension Settings` for 71 hardcoded crypto wallet extension IDs (MetaMask, Phantom, Coinbase Wallet, and others), and scans `~/Documents` / `~/Desktop` for seed phrase / mnemonic / keystore files. Collected data is POSTed to `http://149.28.127.35:8888` (hardcoded bare-IP C2, overridable via `C2_URL` env). The package further disguises itself: `index.js` is a dummy module self-describing as 'Lodash JavaScript utilities bundle' with the comment `The real payload is in postinstall.js`, and the package name `nock-helper` rides on both `nock` and `lodash` brand recognition. This matches multiple attack fingerprints simultaneously: hardcoded C2 in lifecycle script, browser wallet extension ID enumeration, credential-file scraping, and deceptive package identity.\n","modified":"2026-05-15T07:50:54.159423Z","published":"2026-05-14T19:24:59Z","database_specific":{"malicious-packages-origins":[{"sha256":"1e6129616a9cf7f471c616f4cee8a7ae2d0c34a62eb81eb7f974aeb96b9d6e4d","id":"IN-MAL-2026-002675","versions":["1.0.4"],"source":"amazon-inspector","modified_time":"2026-05-14T19:25:00Z","import_time":"2026-05-15T07:37:15.890130557Z"},{"sha256":"a4b3e5ef3f40fab37240849e4e879b5568118f7672f311e1d46f9d543c0ac9f1","id":"IN-MAL-2026-002673","versions":["1.0.2"],"source":"amazon-inspector","modified_time":"2026-05-14T19:24:59Z","import_time":"2026-05-15T07:37:15.803763968Z"},{"sha256":"d1070514eba7a5f0fedc2760db7710399d38e070d98dc99910d3b49923959820","id":"IN-MAL-2026-002674","versions":["1.0.3"],"source":"amazon-inspector","modified_time":"2026-05-14T19:24:59Z","import_time":"2026-05-15T07:37:15.85174606Z"},{"sha256":"30c36950f1300f5ef0dc3d4475b3660e764d63ba96b6d9a688f16f76815b2773","id":"IN-MAL-2026-002677","versions":["2.0.0"],"source":"amazon-inspector","modified_time":"2026-05-14T19:25:01Z","import_time":"2026-05-15T07:37:15.9671984Z"},{"sha256":"7d4c167b4f48f89a3362df31616bdab08b1edf641e7d87c74b8d3e5840fde2bb","id":"IN-MAL-2026-002676","versions":["1.0.5"],"source":"amazon-inspector","modified_time":"2026-05-14T19:25:01Z","import_time":"2026-05-15T07:37:15.933713482Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/nock-helper/v/1.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/nock-helper/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/nock-helper/v/1.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/nock-helper/v/2.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/nock-helper/v/1.0.5"}],"affected":[{"package":{"name":"nock-helper","ecosystem":"npm","purl":"pkg:npm/nock-helper"},"versions":["1.0.4","1.0.2","1.0.3","2.0.0","1.0.5"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nock-helper/MAL-2026-3766.json","indicators":{"package_integrity":[{"hashes":{"sha1":"66a1a07197869792cca174b1f5c8c9e1080c12d5","sha512_sri":"sha512-S26bYOuPXkJuMM9tkPEycw+OFxis2bhipxhQXgG+qefpqfTK5T6UM3I7LvZDwRilJEPP5XxujtLz/IATnj4IJw=="},"filename":"nock-helper-1.0.4.tgz"}],"evidence_files":[{"sha256":"6ac41974ce61de899439008088ad972e7ab2ac161b3abf61fcd6796f28a941d9","path":"postinstall.js","tlsh":"0452e994aaa9021c596382bbd75775b40499e90b35c1e8b4f78f03489f0974d2ef33bb"},{"sha256":"03c624bd3e4b5f93ef13ca3787c701d6676ecda6bdd6dc779d62efe0dc496151","path":"package.json","tlsh":"b5d02b208a21ce3320c497520917514569714d0b03447c1833db116d479f3ba4cff60e"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}