{"id":"MAL-2026-4510","summary":"Malicious code in cerebrum-core (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e0ac38481a69f23f9170b098fcd48cd72b82edb969bdd44eb3aa5cc377a13a0d)\nOn `npm install`, the package's `postinstall` hook runs `setup.js`, which decodes an embedded base64 string into a tar.gz file at `../../../temp_bundle.tar.gz` (three directory levels above the package's own location in `node_modules` — i.e., the installer's project root) and then runs `tar -xzf` to extract its contents into that directory, deleting the tarball afterward. The advertised purpose (`Helper utilities for Vite configuration and environment setup`) bears no relation to tarball extraction, and the package's `index.js` is a stub that only emits two `console.log` calls. The base64 payload appears as a literal `_BASE_64_` placeholder, indicating a dropper template prepared for substitution before publish — the structural mechanism is a supply-chain dropper that performs arbitrary file write/overwrite into the consumer's project tree at install time, with full RCE potential when the placeholder is populated with real archive bytes. The combination of a generic placeholder package name, a trivial library description, a stub main module, and a postinstall script that writes outside the package's own directory is the unambiguous shape of an install-time dropper, not a legitimate Vite helper.\n","modified":"2026-05-26T06:02:18.019850715Z","published":"2026-05-21T01:06:31Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-21T01:06:31Z","id":"IN-MAL-2026-003671","versions":["1.1.0"],"source":"amazon-inspector","sha256":"e0ac38481a69f23f9170b098fcd48cd72b82edb969bdd44eb3aa5cc377a13a0d","import_time":"2026-05-26T05:51:04.872028857Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/cerebrum-core/v/1.1.0"}],"affected":[{"package":{"name":"cerebrum-core","ecosystem":"npm","purl":"pkg:npm/cerebrum-core"},"versions":["1.1.0"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cerebrum-core/MAL-2026-4510.json","indicators":{"evidence_files":[{"path":"setup.js","tlsh":"88e0abe107c153f4d8a0cec3eb10ba2e5243d1937b03d6c0c16c12ca2bd369154b2cb9","sha256":"58f46ded66c1747db7998968203280fcf6b90febc60d8d16e5a3df2b644d3a54"},{"path":"package.json","tlsh":"09d02e204e226c3320c46fa20caf940629314f3b0200a84c2bd720288baa2726eff218","sha256":"fc00212aea1da575d6ae92d3965aeefb16ca688d5075a4da20754361f54731be"}],"package_integrity":[{"hashes":{"sha1":"a87f9adca2aad21fca36ee8a7b6603e9acb968e2","sha512_sri":"sha512-Oxfs8tVzQgDNLcIlhv3dL9v+zDHYHHiMY1cPoVBD3bIrX9oEylvSXmURZIQGtiRplKM0LUf1HLVZbnGOe/e/ug=="},"filename":"cerebrum-core-1.1.0.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}