{"id":"MAL-2026-3771","summary":"Malicious code in request-logger-canary (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (cf0d566d7abb400988aea74b00099a6db4c5ea928f32e7d44648193e21a36035)\nrequest-logger-canary@1.0.0 ships a preinstall.js that, when `npm install` runs, opens a TCP socket to 52.74.242.200:8851 and pipes an interactive `/bin/sh` to the remote endpoint (stdin/stdout/stderr all bridged to the socket). The code executes unconditionally at install time via scripts.preinstall — there is no guard, no `if (false)`, no environment check. The README falsely claims the reverse shell is dead code wrapped in `if (false)` and located in postinstall.js; the live payload is actually in preinstall.js with no guard. This misdirection is itself evidence of deliberate supply-chain attack intent. Any machine running `npm install request-logger-canary` hands a root-of-user interactive shell to the operator of 52.74.242.200.\n","modified":"2026-05-15T07:50:28.978061Z","published":"2026-05-14T19:25:32Z","database_specific":{"malicious-packages-origins":[{"sha256":"cf0d566d7abb400988aea74b00099a6db4c5ea928f32e7d44648193e21a36035","import_time":"2026-05-15T07:37:18.417685682Z","modified_time":"2026-05-14T19:25:32Z","versions":["1.0.0"],"source":"amazon-inspector","id":"IN-MAL-2026-002731"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/request-logger-canary/v/1.0.0"}],"affected":[{"package":{"name":"request-logger-canary","ecosystem":"npm","purl":"pkg:npm/request-logger-canary"},"versions":["1.0.0"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/request-logger-canary/MAL-2026-3771.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-qkTCj7DAIjUmY+Deb4ohssmG4BWuzSYMCJHA0XWmdcnugvwI8eP/t+1XH+BhbdpyPzUlAqQ5jVVrcJHeaDyPVw==","sha1":"4b76c8104a294ac2c7cac6787163795ed52a7885"},"filename":"request-logger-canary-1.0.0.tgz"}],"evidence_files":[{"sha256":"17268959e805d34e252d226171a791ebce45546db77a0803108e7744d6a7f843","path":"preinstall.js","tlsh":"20e0d8dc0bf5a238b6f60cf0e9b055372623c2103343e2e5859d48a156c39ca4e23ef2"},{"sha256":"170a50fd96bdda7a4338c3340844a5d2fae917eaea34d1579972910303cba251","path":"README.md","tlsh":"463126e5d80153a7395682bdd093d058e9e960348b20a879c9f58078a12739ec21fd77"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}