{"id":"MAL-2026-4615","summary":"Malicious code in motion-tool (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (f13ebafd858996faf32f6987cd969b933bf5c31c7ac329cf55f160bb6bbf6007)\nThis package masquerades as the `pino` logger (README copied from pino, exports `module.exports.pino = middleware`) but its middleware does no logging. When the exported function is invoked, index.js detach-spawns `node lib/initializeCaller.js` with `detached: true`, `stdio: 'ignore'`, and `child.unref()` so the child outlives the parent and runs silently. lib/initializeCaller.js shadows `process.env` with a local object whose `DEV_API_KEY` field is a base64 string decoding to `https://purple-kelila-79.tiiny.site/data.json`; an `x-secret-key` header is decoded the same way. The script fetches that anonymous tiiny.site URL via axios, takes `response.data.cookie`, and executes it with `new Function.constructor('require', response)(require)`, retrying up to 5 times. This grants the operator of `purple-kelila-79.tiiny.site` arbitrary code execution with full Node `require` access on any host that uses this package. The combination of (a) impersonation of a popular logger, (b) remote-code-fetch-and-execute from an anonymous static host with no integrity check, (c) base64 obfuscation disguised as developer env vars, and (d) detached-spawn lifecycle evasion is unambiguous active-attack shape.\n\n## Source: ghsa-malware (43abf1e27b44f8aa962b83a85c9c9b28ab5698f0b1abca5e22af781b93fd3c57)\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\n","aliases":["GHSA-hw79-5457-g9c3"],"modified":"2026-06-01T17:16:36.380921871Z","published":"2026-05-25T19:08:11Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:53:14.504066678Z","modified_time":"2026-05-25T19:08:11Z","versions":["2.3.8"],"sha256":"f13ebafd858996faf32f6987cd969b933bf5c31c7ac329cf55f160bb6bbf6007","source":"amazon-inspector","id":"IN-MAL-2026-004766"},{"import_time":"2026-06-01T17:03:32.546541529Z","modified_time":"2026-06-01T14:27:08Z","sha256":"43abf1e27b44f8aa962b83a85c9c9b28ab5698f0b1abca5e22af781b93fd3c57","id":"GHSA-hw79-5457-g9c3","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"source":"ghsa-malware"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/motion-tool/v/2.3.8"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-hw79-5457-g9c3"}],"affected":[{"package":{"name":"motion-tool","ecosystem":"npm","purl":"pkg:npm/motion-tool"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["2.3.8"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/motion-tool/MAL-2026-4615.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"sha256":"e5e2163fdafce48f59ac0fad8e8b98b5eaffa45e3978b18d442480b7758f6c6d","tlsh":"b311c08e61fc100c006152e5b62f14116021e4273d8ad5e877cc83871f9567f6d536ef","path":"lib/initializeCaller.js"},{"sha256":"1f51184c197102444a2c8a23e4a8e54a6479750420512922fcb5d5f795c33911","tlsh":"0f318545b5f21259126d98c4f6b4a5263cdf9437331b76b1cded93952bce2080032bc7","path":"index.js"}],"package_integrity":[{"filename":"motion-tool-2.3.8.tgz","hashes":{"sha1":"5130dd1a3ea211094dd73b9b1443c976c03e05a7","sha512_sri":"sha512-uIxAwN8F2upMnCObNeFhOqE/yCMsjRNgCB6iQzXedENljLid6fdqC3MLBlxDIvEOdjr8ZwRxXeN/dCXAfolNiw=="}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}