{"id":"MAL-2026-4481","summary":"Malicious code in arc-diag-util (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (95f08d97107d726a6ae90afbf8e354b84a7e13d4a236bc8766180a362cc8344c)\nOn `npm install`, the package's postinstall hook runs `id` to capture the installer's uid/gid/group identity and opens a raw TCP socket to host.docker.internal:9999, writing the command output to that listener. The package's declared main (index.js) is a two-line stub exporting `{}` — there is no library functionality, the postinstall beacon is the package's sole purpose. host.docker.internal resolves to the Docker host from inside a container, so the pattern is specifically designed to escape sandboxed CI/build containers and report installer identity to a listener on the build host. The hollow library body combined with a generic 'diagnostic utility' name is consistent with a dependency-confusion attempt against an internal package name.\n","modified":"2026-05-26T06:02:09.153533446Z","published":"2026-05-20T07:23:00Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:50:43.745478107Z","versions":["1.0.1"],"id":"IN-MAL-2026-003484","source":"amazon-inspector","sha256":"95f08d97107d726a6ae90afbf8e354b84a7e13d4a236bc8766180a362cc8344c","modified_time":"2026-05-20T07:23:00Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/arc-diag-util/v/1.0.1"}],"affected":[{"package":{"name":"arc-diag-util","ecosystem":"npm","purl":"pkg:npm/arc-diag-util"},"versions":["1.0.1"],"database_specific":{"indicators":{"evidence_files":[{"path":"package.json","tlsh":"78f0dc608b20f63f1ac143511834c861252348022204b9e4670b426dc2de3f70dbb37f","sha256":"fae794456fd51cc7b1ae4ff86f7107ababd8a283adf2a035901e7fd58fc551f8"},{"path":"index.js","tlsh":"a9900401d33071454757c317f54444331cd541d1111450d0d14447fd4407fd040d4541","sha256":"1ee1f0e03fd18f43210cdd6cec24bb9d6f08fdd4fd92d09d966d4afde18208b4"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-BPBm+oYI3u3wCz6N5Hj7wluY9nUP8VljEHqT+UOjb4MgvcQMHdddpCWU9yFci4AkFT6/ho+nI5jtgZtJYgdG4A==","sha1":"291c17e49d8f8d676f6d2005983665a6a400f766"},"filename":"arc-diag-util-1.0.1.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/arc-diag-util/MAL-2026-4481.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}