{"id":"MAL-2026-4529","summary":"Malicious code in cloudpivot (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (4bd95ac92732da86e3ec63771e124da83ea8d98e1dd2f6636ab3d8dde76ab34c)\nOn `npm install`, the package.json preinstall hook runs `wget` against http://194.120.24.50:7374 with query parameters carrying `$(whoami)`, `$(pwd)`, `$(hostname)`, and a base64-encoded copy of `/etc/passwd`. The package ships no functional code — `main: index.js` is declared but no index.js is present — so the only effect of installing the package is the exfiltration probe firing automatically. The destination is a bare IP over plain HTTP, with no relation to any declared publisher, and the package description itself references Burp Collaborator abuse. Any developer or CI system that runs `npm install cloudpivot` leaks host identifiers and the local user database to the operator of 194.120.24.50.\n","modified":"2026-05-26T06:02:24.503445043Z","published":"2026-05-23T08:02:30Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","id":"IN-MAL-2026-004300","modified_time":"2026-05-23T08:22:24Z","versions":["1.0.3"],"import_time":"2026-05-26T05:52:19.864106554Z","sha256":"4bd95ac92732da86e3ec63771e124da83ea8d98e1dd2f6636ab3d8dde76ab34c"},{"source":"amazon-inspector","id":"IN-MAL-2026-004299","modified_time":"2026-05-23T08:02:30Z","versions":["1.0.1"],"import_time":"2026-05-26T05:52:19.765042781Z","sha256":"e9fbe3aa0aad306420c2f7b34389ded8e1fc6e044a2af36789935051475f5284"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/cloudpivot/v/1.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/cloudpivot/v/1.0.1"}],"affected":[{"package":{"name":"cloudpivot","ecosystem":"npm","purl":"pkg:npm/cloudpivot"},"versions":["1.0.3","1.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cloudpivot/MAL-2026-4529.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"tlsh":"7d11efaa6a70cb366df84f343ba08316b10377af04717d0574739a84238e4f2241ce21","path":"package.json","sha256":"b399506fb05a89ad0070a3359d1532e08697bb6e3fb2900c6e65f6bbeee3ee6b"}],"package_integrity":[{"filename":"cloudpivot-1.0.3.tgz","hashes":{"sha512_sri":"sha512-BhlUsRdIAiYfJTqguNXTEtSmkpbcPAw0EQkVFcTpEtiApT9gQjOBiSuIE1air+ysPNzjC2FiWHszMuVM4QI3wg==","sha1":"be1b3a4d808a612d85bf8a0bb7aaa5c83bddd692"}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}