{"id":"MAL-2026-4458","summary":"Malicious code in @toni77777/aora (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8566221a9ab9a1cb01b0f23e2af4b140d2e97310701b8c9a8f4bed1481fb22b2)\nOn `npm install`, scripts/postinstall.js fetches a platform-specific executable from `https://github.com/yourusername/aora/releases/download/v0.1.0/\u003casset\u003e`, writes it to `bin/aora`, chmods it 0755, and the package's `bin` entry then spawns it. The download URL points at GitHub account `yourusername` — a placeholder that does not match the package publisher (`@toni77777`). No hash or signature verification is performed on the fetched bytes. Anyone who registers or controls the `yourusername` GitHub account can upload a release at this path and have arbitrary native code executed on every installer's machine. The script also unconditionally overwrites a ~15 MB native binary shipped in the tarball at `bin/aora`, so even the locally auditable bytes are replaced at install time. The fetch is not pinned by hash, the publisher does not match the host, and the resulting binary is executed — the canonical install-time dropper shape.\n","modified":"2026-05-27T00:31:51.701517987Z","published":"2026-05-21T07:14:49Z","withdrawn":"2026-05-26T21:14:22Z","database_specific":{"malicious-packages-origins":[{"sha256":"32fc2b8f288f10a0be2b2d22a064fb67108338b523f2c2061feef6c44ce5435a","import_time":"2026-05-26T05:51:16.776469633Z","source":"amazon-inspector","modified_time":"2026-05-21T07:14:50Z","id":"IN-MAL-2026-003769","versions":["0.1.0"]},{"sha256":"8566221a9ab9a1cb01b0f23e2af4b140d2e97310701b8c9a8f4bed1481fb22b2","import_time":"2026-05-26T05:51:16.659004838Z","source":"amazon-inspector","modified_time":"2026-05-21T07:14:49Z","id":"IN-MAL-2026-003768","versions":["0.1.0"]},{"sha256":"f90e1cdb9d4008d1291017a4c52bd33b0d241d4a92e9e009407d6e9600ed35d1","import_time":"2026-05-26T05:51:16.875345347Z","source":"amazon-inspector","modified_time":"2026-05-21T07:23:41Z","id":"IN-MAL-2026-003770","versions":["0.1.1"]},{"versions":["0.1.1"],"import_time":"2026-05-26T05:51:17.022889646Z","source":"amazon-inspector","modified_time":"2026-05-21T07:23:41Z","id":"IN-MAL-2026-003771","sha256":"49d48f678b5f0189d8b6a5cbea0392ddf69d3adc1df4db9a3be69889ecafa87a"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@toni77777/aora/v/0.1.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@toni77777/aora/v/0.1.1"}],"affected":[{"package":{"name":"@toni77777/aora","ecosystem":"npm","purl":"pkg:npm/%40toni77777%2Faora"},"versions":["0.1.0","0.1.1"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@toni77777/aora/MAL-2026-4458.json","indicators":{"evidence_files":[{"sha256":"b14639354d2c0b681679c8c0e59c7b3afcc54ed1c02c06418745791bfe65274c","tlsh":"4d41419d09f30138077240c9da4a1d9bf8578612b34aeb5cf46c43497fdbe2584a26ef","path":"scripts/postinstall.js"},{"sha256":"fe48894538a7da975c0ecd784124001d54376075e5afe1fceb3c341956358e24","tlsh":"baf65d03fab60addd5edcc31851c23377b34b54a432096e72ba49e212e42fa15f78796","path":"bin/aora"}],"domains":["github.com"],"package_integrity":[{"hashes":{"sha1":"7000f1f01462e0da8a44611253a1515d14e832df","sha512_sri":"sha512-ShGd14rQs1iX1djS8EPLMNNWkyV1zc4uI6U5+aFS61xlVpjcTH0F1vz/8g3uduycuMOzhBei69wCGE9Qu/YpLg=="},"filename":"aora-0.1.0.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}