{"id":"MAL-2026-4580","summary":"Malicious code in http-uploader-dev (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (936024fb65d6ab06a1f01fcd765b534812efb873f076e81303d87c0b141bba2b)\npackage.json declares `\"preinstall\": \"bun run index.js\"`, which on `npm install` invokes Bun to run index.js. index.js detects the host OS and shells out to launch an unrelated local application — `open -a Calculator` on macOS, `calc.exe` on Windows, and `xcalc`/`gnome-calculator`/`kcalc` on Linux — via `execSync`. This is the canonical proof-of-concept install-time RCE payload and bears no relation to the package's stated 'http uploader' purpose. Two independently suspicious structural traits compound the lifecycle behavior: (1) the preinstall hook routes execution through Bun, an alternate runtime fetched outside the normal Node resolution path, matching the alternate-runtime-dropper pattern; (2) package metadata is placeholder/throwaway (author 'sleep', homepage `https://git.hfaf.com/urlaa`, generic name 'http-uploader-dev'). The PoC nature of the current payload (launching a calculator) does not lower the severity: any installer running `npm install http-uploader-dev` executes attacker-chosen commands at install time, and a future republish can swap in arbitrary code with no change to the trigger surface.\n","modified":"2026-06-12T20:01:52.825696589Z","published":"2026-05-21T09:06:31Z","database_specific":{"malicious-packages-origins":[{"sha256":"936024fb65d6ab06a1f01fcd765b534812efb873f076e81303d87c0b141bba2b","source":"amazon-inspector","import_time":"2026-05-26T05:51:19.972056137Z","modified_time":"2026-05-21T09:47:46Z","id":"IN-MAL-2026-003797","versions":["1.0.3"]},{"import_time":"2026-05-26T05:51:18.977386732Z","source":"amazon-inspector","sha256":"c5c79f07e872440f7a6cdddf0385c8e88675a0def325a08af63de330f1cd94c3","modified_time":"2026-05-21T09:06:31Z","id":"IN-MAL-2026-003788","versions":["1.0.0"]},{"sha256":"dad89f8aa4b11f7ca9548e55a763bff12293a14d3889074f847d4735e1af5126","source":"amazon-inspector","import_time":"2026-05-26T05:51:19.731201257Z","modified_time":"2026-05-21T09:37:37Z","id":"IN-MAL-2026-003795","versions":["1.0.2"]},{"modified_time":"2026-05-25T08:35:42Z","import_time":"2026-05-26T05:52:56.064951496Z","sha256":"f78bad20b316dad1568a74ff372d2d5e955bd658ccf93bd814e2939c3a0b8216","source":"amazon-inspector","id":"IN-MAL-2026-004607","versions":["1.0.5"]},{"import_time":"2026-05-26T05:51:19.284239093Z","source":"amazon-inspector","sha256":"a8bb3bd4e143aaf8df6d3d54eedb9f36d7f156c59775eed35a21de8d33b253a3","modified_time":"2026-05-21T09:15:41Z","id":"IN-MAL-2026-003791","versions":["1.0.1"]},{"import_time":"2026-05-26T09:17:32.39634727Z","source":"amazon-inspector","sha256":"d9818578428bc38b7bd3f5e4546e4d14d0ebe9709b9fea08cd359a3f99e84d46","modified_time":"2026-05-26T08:33:56Z","id":"IN-MAL-2026-004872","versions":["1.0.6"]},{"sha256":"577aa4c42e8931b5a638758260beaa8efade008231a95c06a0c0b7829655bb7b","source":"amazon-inspector","import_time":"2026-06-12T19:43:55.604416996Z","modified_time":"2026-06-12T19:06:45Z","id":"IN-MAL-2026-005990","versions":["1.0.7"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/http-uploader-dev/v/1.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/http-uploader-dev/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/http-uploader-dev/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/http-uploader-dev/v/1.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/http-uploader-dev/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/http-uploader-dev/v/1.0.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/http-uploader-dev/v/1.0.7"}],"affected":[{"package":{"name":"http-uploader-dev","ecosystem":"npm","purl":"pkg:npm/http-uploader-dev"},"versions":["1.0.3","1.0.0","1.0.2","1.0.5","1.0.1","1.0.6","1.0.7"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"tlsh":"b1f084e09afad730aa7518a36e8a11a561a39027240afb9c30898386ab9416402b0cf5","sha256":"522164d64f61e40a5602b8090c2e161954c668915725d63acc2752adfe2db81e","path":"index.js"},{"tlsh":"c0e0d8b4c8219c732dd04b288929594662a48f3b40453c0a73db108c9ade5b714ff14e","sha256":"99a72d6da2467bc9ce3b6be5f8b241558b24d792d264116990a2a3a835594c9b","path":"package.json"}],"package_integrity":[{"filename":"http-uploader-dev-1.0.3.tgz","hashes":{"sha1":"94e48058681c401fba7de9a6545d65df48b718e4","sha512_sri":"sha512-AzrPDH2ly7783OGYsCgJcpsULrdvVc36C0mHjfkzcEPhg2zfNPDcSxksfPbI1ZNa0XaqM3nOsHCGBsljGyY3hQ=="}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/http-uploader-dev/MAL-2026-4580.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com","inspector-research@amazon.com"],"type":"FINDER"}]}