{"id":"MAL-2026-4567","summary":"Malicious code in freertc (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1fb3d1337fc97d6eaccde325dc5f539a28af051f548c31f1b97a8752b8f51878)\nOn install, scripts/postinstall-message.mjs reads the consumer project's package.json via process.env.INIT_CWD, and if freertc appears in dependencies/devDependencies with any value other than 'latest', it overwrites the entry to 'latest', writes the modified package.json back to disk, and invokes spawnSync('npm', ['install'], { cwd: projectRoot }). This silently mutates the installer's committed manifest (and lockfile, via the recursive npm install) without consent, converting any pinned version constraint into the mutable 'latest' tag. The effect is that every subsequent install on the consumer's machine — and on every collaborator's machine once the modified package.json is committed — will automatically pull whatever the newest published freertc release happens to be, including any future compromised release. This removes version pinning, the consumer's primary defense against supply-chain attacks on this package, as a direct consequence of installing it. The postinstall hook also performs an outbound fetch to registry.npmjs.org to gather version info as part of the same flow. Independent of the version-rewrite behavior, the package contains additional outbound network calls in bin/freertc.mjs and a ping/network-id pattern in scripts/non-cloudflare-server.mjs that warrant scrutiny but are reachable only via explicit CLI/server invocation, not at install time.\n","modified":"2026-05-26T06:02:34.347839052Z","published":"2026-05-24T02:10:29Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:52:37.024010652Z","source":"amazon-inspector","versions":["0.1.22"],"modified_time":"2026-05-24T02:21:25Z","sha256":"14f60508e71ccdcc4e4ee8520b255f40c5c14c125e877dc42cbafd756604e18b","id":"IN-MAL-2026-004446"},{"import_time":"2026-05-26T05:52:38.049361621Z","source":"amazon-inspector","versions":["0.1.32"],"modified_time":"2026-05-24T03:00:47Z","sha256":"aef2425fbb38462625b0b935a4b92981233608a339bbc970292ba25aa55706f5","id":"IN-MAL-2026-004455"},{"import_time":"2026-05-26T05:52:37.910222124Z","source":"amazon-inspector","versions":["0.1.33"],"modified_time":"2026-05-24T03:00:42Z","sha256":"e12f4a6e2a70bb62bbe254bb0fbd149d5683f9a3584d6da58bc2732a76cad12c","id":"IN-MAL-2026-004454"},{"sha256":"1fb3d1337fc97d6eaccde325dc5f539a28af051f548c31f1b97a8752b8f51878","source":"amazon-inspector","versions":["0.1.28"],"modified_time":"2026-05-24T02:40:39Z","import_time":"2026-05-26T05:52:37.458437676Z","id":"IN-MAL-2026-004450"},{"sha256":"239215d3d45027d51400df45757c08811434787c8cd0d16300c04bbe329e86b8","source":"amazon-inspector","versions":["0.1.23"],"modified_time":"2026-05-24T02:26:39Z","import_time":"2026-05-26T05:52:37.13320799Z","id":"IN-MAL-2026-004447"},{"import_time":"2026-05-26T05:52:35.069603762Z","source":"amazon-inspector","versions":["0.1.20"],"modified_time":"2026-05-24T02:10:29Z","sha256":"44343514707df6ce806b9a61f60a0765d8ec68bbbfed1b8ba11bd505dc4811ec","id":"IN-MAL-2026-004429"},{"import_time":"2026-05-26T05:52:37.553675347Z","source":"amazon-inspector","versions":["0.1.31"],"modified_time":"2026-05-24T02:45:53Z","sha256":"89be6086d0dbe790b6deb2e6e2b974858a75dfe30a0113f872014915fb428e63","id":"IN-MAL-2026-004451"},{"import_time":"2026-05-26T05:52:35.232866656Z","source":"amazon-inspector","versions":["0.1.21"],"modified_time":"2026-05-24T02:10:33Z","sha256":"aac02ee7f9fa879e94877b0ddb6915d85010a5ad3aadacd3042d80d332c60c58","id":"IN-MAL-2026-004430"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/freertc/v/0.1.22"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/freertc/v/0.1.32"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/freertc/v/0.1.33"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/freertc/v/0.1.28"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/freertc/v/0.1.23"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/freertc/v/0.1.20"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/freertc/v/0.1.31"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/freertc/v/0.1.21"}],"affected":[{"package":{"name":"freertc","ecosystem":"npm","purl":"pkg:npm/freertc"},"versions":["0.1.22","0.1.32","0.1.33","0.1.28","0.1.23","0.1.20","0.1.31","0.1.21"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/freertc/MAL-2026-4567.json","indicators":{"package_integrity":[{"filename":"freertc-0.1.22.tgz","hashes":{"sha512_sri":"sha512-3U/VAVWJjDrfz1WGoeBehxzaDSd2K4wsvoTmfhFyjZTOSi7EatKQouJcC7z/fZMszsrz+IYPaoBfrxL9zGoIIQ==","sha1":"472c60bd00023eb97a3744e028201413b5b8c938"}}],"evidence_files":[{"sha256":"4366b6d0b1e8870ba1f5c4c0a1b89fd87cf99cbbe02a8cd2ff1faba4ed8880d3","path":"scripts/postinstall-message.mjs","tlsh":"4c81868859f665309da017dd515fa4213736d901374de8f0f2ed51047fc7768829ba2f"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}