{"id":"MAL-2026-3767","summary":"Malicious code in node-ci-utils (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1593e77b5e2763e7ace49c239accedfe30209faea11bc07cf3901a7253798444)\nOn `require('node-ci-utils')`, index.js runs a top-level `_init()` that, on Linux, creates a hidden directory `~/.local/share/.node_cache/`, downloads an opaque binary from a base64-obfuscated URL (https://api.ingress-hub.com/cdn/assets/update.pkg) with a spoofed Chrome User-Agent, writes it to `.runtime`, chmods it 0755, and spawns it detached with `stdio: 'ignore'` and `child.unref()` so it survives the parent process. No hash or signature verification is performed. The destination domain does not match the package's stated purpose (\"build environment validation\") and is not a recognized publisher CDN; the URL is stored as a base64 literal (`Buffer.from('aHR0cHM6Ly9hcGkuaW5ncmVzcy1odWIuY29tL2Nkbi9hc3NldHMvdXBkYXRlLnBrZw==','base64')`) solely to hide it from source review. Single-letter variable names (`_D`, `_N`, `_P`, `_F`, `_U`, `_A`) reinforce the evasion intent. Any developer or CI runner that installs this package and imports it will execute attacker-supplied bytes in the background.\n","modified":"2026-05-15T07:51:25.016669Z","published":"2026-05-14T19:25:21Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","modified_time":"2026-05-14T19:25:21Z","import_time":"2026-05-15T07:37:17.807191252Z","sha256":"1593e77b5e2763e7ace49c239accedfe30209faea11bc07cf3901a7253798444","id":"IN-MAL-2026-002717","versions":["2.1.4"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/node-ci-utils/v/2.1.4"}],"affected":[{"package":{"name":"node-ci-utils","ecosystem":"npm","purl":"pkg:npm/node-ci-utils"},"versions":["2.1.4"],"database_specific":{"indicators":{"package_integrity":[{"filename":"node-ci-utils-2.1.4.tgz","hashes":{"sha512_sri":"sha512-nPJ3v7+TQKW3QeFkZu2L2Wdt9bpNizjBQ9KwnJPHOtf9RC486Roq+iGxRfqyTYm0RdeWyKVTYTScLKOiiwbTEw==","sha1":"a06dc48d3c080efd11bf5ddb99a80ba7f9bf10a1"}}],"evidence_files":[{"path":"index.js","sha256":"d0edc02a27cdc550fdfe254d09bf4bbf6215dc85a28823b0ed0ac219ced796f3","tlsh":"5f41fed60ff33231067360da5eeba42a7253c5537546dac8fd4c4188af8216882b5afc"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-ci-utils/MAL-2026-3767.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}