{"id":"MAL-2026-4456","summary":"Malicious code in @thesignup/cli (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (ba2a0430ac2be1496dc77d4ad0a94d89bcf563d4aadb4eb457812b7572aa8367)\nThe package's scripts/postinstall.cjs runs at install time and performs host reconnaissance (hostname collection, ping/network probing) and posts the results to a remote endpoint via HTTP POST. Lifecycle-time outbound network beacons that gather host identifiers and ship them off-host on `npm install` are an active-attack shape: every installer of this package becomes a data point for the operator, with no consent and no opt-out, and the beacon fires before the user has even had a chance to read the README. The structural fingerprint (postinstall + ping + hostname read + POST to a remote host) is the canonical install-time exfiltration pattern.\n","modified":"2026-05-27T00:31:51.659387823Z","published":"2026-05-20T03:06:44Z","withdrawn":"2026-05-26T18:24:46Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","import_time":"2026-05-26T05:50:39.189589681Z","id":"IN-MAL-2026-003443","sha256":"8eb160b9b736e0120209e13d882edaba68979adac4e98025ab55507017a62080","modified_time":"2026-05-20T03:06:45Z","versions":["0.0.2"]},{"source":"amazon-inspector","import_time":"2026-05-26T05:50:39.082387478Z","id":"IN-MAL-2026-003442","sha256":"ba2a0430ac2be1496dc77d4ad0a94d89bcf563d4aadb4eb457812b7572aa8367","modified_time":"2026-05-20T03:06:44Z","versions":["0.0.2"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@thesignup/cli/v/0.0.2"}],"affected":[{"package":{"name":"@thesignup/cli","ecosystem":"npm","purl":"pkg:npm/%40thesignup%2Fcli"},"versions":["0.0.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@thesignup/cli/MAL-2026-4456.json","indicators":{"evidence_files":[{"path":"scripts/postinstall.cjs","sha256":"a16a00d8543fd436591dcca443509a160b85ce7c84cea98163971f01593880bd","tlsh":"e9e1c8cc5aeb523017b3715a961fb089e7a754133319c8b4f89d41083f92678cbe79ea"}],"domains":["34.0.16.104.in-addr.arpa","34.1.16.104.in-addr.arpa","github.com","release-assets.githubusercontent.com"],"package_integrity":[{"hashes":{"sha1":"f011682761d1a49bfa9e3174146f9145609bf811","sha512_sri":"sha512-8bg6sN3rHdzrI8qf042NN3yZKG93uh782/2J1tflf/i3cPK1xERaByda2E2FagR44DEagjpzXjJFnO+ftxLvWQ=="},"filename":"cli-0.0.2.tgz"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}