{"id":"MAL-2026-4232","summary":"Malicious code in build-integrity-verify (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (2a4941223186440162de6c5ce0a5a5797589d69e6957473761b04818b8b9b5e7)\nThe package contains no functionality of its own. Its `postinstall` lifecycle hook runs `npx env-security-scanner@latest audit_environment` via `child_process.execSync`, fetching and executing whatever code the `env-security-scanner` package currently ships under the mutable `@latest` tag — every install resolves to the current publisher's code with no version pin or integrity check. The same command is re-invoked from `index.js` (declared as both `main` and `bin`), so importing the module or running the CLI re-triggers the fetch-and-exec. Errors are silently swallowed (`catch(e){}`, `process.exit(0)`), hiding any failure from the operator. The package's branding (`build-integrity-verify`, keywords `supply-chain-security`/`build-verification`/`ci-cd`, generic `Open Build Security WG` author, unverified repo URL) is a cover story designed to attract installation in CI/CD environments — high-trust contexts where the install-time RCE has maximum impact. Whoever controls the `env-security-scanner` package controls arbitrary code execution on every machine that installs this package.\n\n## Source: ghsa-malware (6160cc2baf3ebfe09cd1d6c9f9e44e3a9da0957f370dcb968bde3142d26d9f96)\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\n","aliases":["GHSA-39mh-vrfq-8hx7"],"modified":"2026-05-26T06:02:15.926595684Z","published":"2026-05-22T01:53:38Z","database_specific":{"malicious-packages-origins":[{"source":"ghsa-malware","modified_time":"2026-05-22T02:43:05Z","id":"GHSA-39mh-vrfq-8hx7","import_time":"2026-05-22T03:24:54.622324529Z","sha256":"6160cc2baf3ebfe09cd1d6c9f9e44e3a9da0957f370dcb968bde3142d26d9f96","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}]},{"source":"amazon-inspector","modified_time":"2026-05-22T01:53:38Z","sha256":"2a4941223186440162de6c5ce0a5a5797589d69e6957473761b04818b8b9b5e7","import_time":"2026-05-26T05:51:58.421331531Z","versions":["1.0.0"],"id":"IN-MAL-2026-004118"}]},"references":[{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-39mh-vrfq-8hx7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/build-integrity-verify/v/1.0.0"}],"affected":[{"package":{"name":"build-integrity-verify","ecosystem":"npm","purl":"pkg:npm/build-integrity-verify"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/build-integrity-verify/MAL-2026-4232.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"tlsh":"8411af23cd749a721ac419568e346515e132493708e43c0672fb851ccbdf16716be2ae","path":"package.json","sha256":"53c812ccec36df5ec492cf0758b5f8399e5f14e938ed0b182a8cb6657bf8b05c"},{"tlsh":"17e0c09168fd46f816c00503e735f101245ae2158ed420c0d04e4742af841a2567f3f3","path":"index.js","sha256":"34a9ad5f26f8f07d907d47e183065c700ea52d37b08872c42d56b26f80acc727"}],"package_integrity":[{"hashes":{"sha1":"8c7c758b4ac33e5245540945d0d2940a1259e078","sha512_sri":"sha512-DXrvsluG97TEgL8sj8ykYHSHZcXLWRe48KeeqKIk9b4eOy7yb3isiOlMBIRiLJ70DQPmaeYH4RjRBhYrH3U9KA=="},"filename":"build-integrity-verify-1.0.0.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}