{"id":"MAL-2026-4453","summary":"Malicious code in @tarojs/cli (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (59b4e6cd0fe6bd16c6fb2bd04e6542a2a3052182d8815a08b124df56f2d9fde2)\nOn `npm install`, the package's postinstall script performs a reachability GET to https://taro.jd.com/ and, on success, invokes the package's own `bin/taro global-config add-plugin @jdtaro/plugin-build-report-performance@latest --registry http://registry.m.jd.com`. Internally this shells out to `npm install @jdtaro/plugin-build-report-performance@latest --registry=http://registry.m.jd.com` in the user's ~/.taro global-config directory. Two installer-harm properties hold simultaneously: (1) the dependency is unpinned (`@latest`) so the bytes resolved at install time are not under the publisher's control, and (2) the registry is reached over plain HTTP (`http://registry.m.jd.com`), so any on-path network attacker can substitute an arbitrary tarball whose own lifecycle scripts will execute as the installing user. The plugin is then persistently registered in the user's global Taro config (`TARO_GLOBAL_CONFIG_DIR`), so it is auto-loaded by every subsequent `taro build` invocation across all projects, with no prompt or opt-in. The name and registry suggest a JD build-telemetry plugin, but the installer-harm concern is independent of intent: unpinned + plain-HTTP fetch-and-execute at lifecycle time is a textbook MITM-to-RCE path.\n","modified":"2026-05-27T00:31:51.724931342Z","published":"2026-05-19T19:06:44Z","withdrawn":"2026-05-26T20:46:07Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","modified_time":"2026-05-19T19:06:44Z","sha256":"260bc742bd36d018e4bdf8b22fceacc1c4c477d92bfaccc5ba6d803dd6d709af","import_time":"2026-05-26T05:50:17.924378731Z","id":"IN-MAL-2026-003253","versions":["4.1.12-beta.47"]},{"source":"amazon-inspector","modified_time":"2026-05-25T08:07:04Z","sha256":"59b4e6cd0fe6bd16c6fb2bd04e6542a2a3052182d8815a08b124df56f2d9fde2","import_time":"2026-05-26T05:52:54.748568895Z","id":"IN-MAL-2026-004596","versions":["4.2.1-beta.0"]},{"source":"amazon-inspector","modified_time":"2026-05-25T08:07:05Z","sha256":"ef2e4036838b6afaac5d53f4f07ceede905e6fad74d373282ff75d24c8fe45fe","import_time":"2026-05-26T05:52:54.861615479Z","id":"IN-MAL-2026-004597","versions":["4.2.1-beta.0"]},{"source":"amazon-inspector","modified_time":"2026-05-19T19:06:45Z","sha256":"f84d67df2a93a52d8c85789b16ba572809d61dd085f25ee2ef48cf3fc8a231e1","import_time":"2026-05-26T05:50:18.020652231Z","id":"IN-MAL-2026-003254","versions":["4.1.12-beta.47"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@tarojs/cli/v/4.1.12-beta.47"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@tarojs/cli/v/4.2.1-beta.0"}],"affected":[{"package":{"name":"@tarojs/cli","ecosystem":"npm","purl":"pkg:npm/%40tarojs%2Fcli"},"versions":["4.1.12-beta.47","4.2.1-beta.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@tarojs/cli/MAL-2026-4453.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"domains":["34.1.16.104.in-addr.arpa","taro.jd.com"],"package_integrity":[{"filename":"cli-4.1.12-beta.47.tgz","hashes":{"sha1":"ce4e26ca070bd76571c4b6aff3496a1cf37c2aa5","sha512_sri":"sha512-cXV7bt+zSO84F6gvTWd1WKaz9ajXR0Y5g/RV1dulMXMOoRpqxtEDA27+O+YxlsdIE8QzD6/QAaLZN4IUKTOitQ=="}}],"evidence_files":[{"tlsh":"37f09e3b59f440232363427ce83f614b321b425220688e68f5ed27510bc33501ad32e4","sha256":"e0dee9027d8ff26268c67077916dbf4bab6505f1c152d018ecec119938aa83b8","path":"postinstall.js"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}