{"id":"MAL-2026-4577","summary":"Malicious code in harness-skil (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e03ab8467953cd2233e07e792a33c7df7be2c99c66da3b814538a169337b93e6)\nThe package's install.js (wired to an npm install lifecycle hook) requires child_process, fs, and https, then issues an https.get to a raw.githubusercontent.com URL and writes/executes the fetched content with environment variables passed through. Fetching code from a personal/raw GitHub user content URL — a mutable, non-publisher, non-version-pinned source — and running it as part of `npm install` is the canonical install-time dropper shape: any installer of harness-skil executes whatever bytes currently live at that URL, with no integrity check or pinning. The package's name does not indicate a legitimate need to download external code at install time, and the destination is not a publisher-owned or known runtime CDN.\n","modified":"2026-05-26T06:02:36.196621713Z","published":"2026-05-24T06:05:18Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-004468","sha256":"45ebe57d4bef636497d4588feca853441fd83299640ef1e1d772eca62121d396","versions":["1.0.0"],"source":"amazon-inspector","modified_time":"2026-05-24T06:05:19Z","import_time":"2026-05-26T05:52:39.528723343Z"},{"id":"IN-MAL-2026-004467","sha256":"e03ab8467953cd2233e07e792a33c7df7be2c99c66da3b814538a169337b93e6","versions":["1.0.0"],"source":"amazon-inspector","modified_time":"2026-05-24T06:05:18Z","import_time":"2026-05-26T05:52:39.41309522Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/harness-skil/v/1.0.0"}],"affected":[{"package":{"name":"harness-skil","ecosystem":"npm","purl":"pkg:npm/harness-skil"},"versions":["1.0.0"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"7d51216e48f786305773a4882b5b401b746699032259db58b76c472affc1a38c2069ff","sha256":"123a9e76ca57e3f3ebe58048fb20fe1e42c409e70842c064eca56296b44cfdf8","path":"install.js"}],"domains":["raw.githubusercontent.com"],"package_integrity":[{"filename":"harness-skil-1.0.0.tgz","hashes":{"sha1":"de0854b1029861dcf104cd6eb5c4f9686f84dc5e","sha512_sri":"sha512-Cg5wFqIEMRpOA4hwb6ISxts+uzuXfPTvTwPHadIaJQWIDdVkZIimCwRCrNpXvSfq/u0bVTOkoCD7Wi7wz37rdw=="}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/harness-skil/MAL-2026-4577.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}