{"id":"MAL-2026-4617","summary":"Malicious code in n8n-nodes-pentest-rce (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (2a813bc4a209e75b50151451de1c2a3c4a7e916b181b314416eafc43492b4eb5)\nOn `npm install`, the package's `postinstall` script runs a shell pipeline that reads the Kubernetes service-account token from `/var/run/secrets/kubernetes.io/serviceaccount/token` (truncated to 200 bytes), the pod namespace file, the first 20 sorted environment variables, and host fingerprinting data (`id`, `hostname`, `uname -a`, `ip addr`, `/etc/os-release`, `mount`, `/proc/1/status`, `/proc/1/cgroup`), emitting them between `=RCE_START=` / `=RCE_END=` markers. In typical n8n custom-node installation contexts (n8n cloud, CI build pipelines, container-image builds), install-time stdout is captured into build logs accessible to the attacker. The advertised node code in `dist/PentestNode.node.js` is a no-op (`return [this.getInputData()]`) and `index.js` exports `{}` — the package provides no functional value to a consumer; the install-time shell payload is the entire purpose. The package self-identifies as a 'pentest proof of concept' for RCE in its name and description. The exfiltrated K8s SA token grants API access to the cluster the installer runs in, and the env-var dump commonly contains cloud-provider credentials.\n","modified":"2026-05-26T06:02:43.025843458Z","published":"2026-05-21T00:47:40Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","sha256":"0488febf49bd134aed0fa92236ba8f52af6e870c1aef10556cdcfbfc2056c2e8","id":"IN-MAL-2026-003690","versions":["1.0.35"],"import_time":"2026-05-26T05:51:07.097648671Z","modified_time":"2026-05-21T01:30:22Z"},{"source":"amazon-inspector","sha256":"60be575f03918d040794b457c04d31c1de87deb7db96a195136f21281cf4d24a","id":"IN-MAL-2026-003681","versions":["1.0.31"],"modified_time":"2026-05-21T01:19:30Z","import_time":"2026-05-26T05:51:06.107587832Z"},{"source":"amazon-inspector","sha256":"a6509bc71ca026b8d09ac760fe5ced4fb027131166c46348097b4bb29fa61f4b","id":"IN-MAL-2026-003667","versions":["1.0.16"],"modified_time":"2026-05-21T01:01:18Z","import_time":"2026-05-26T05:51:04.4681289Z"},{"source":"amazon-inspector","sha256":"e4dbdf9fb9e135b09a14f6780e4462cf258a7ce489f8f2103bdaf592b2733eb2","versions":["1.0.33"],"id":"IN-MAL-2026-003686","modified_time":"2026-05-21T01:25:02Z","import_time":"2026-05-26T05:51:06.644479921Z"},{"source":"amazon-inspector","sha256":"e681ddff488c0afa1eb87aab6fc8c5adf4efee1c89029046e1b09e9ae23bc789","id":"IN-MAL-2026-003698","versions":["1.0.43"],"modified_time":"2026-05-21T01:37:10Z","import_time":"2026-05-26T05:51:08.070633856Z"},{"source":"amazon-inspector","sha256":"f9059cfcb66eba746763d81a547e33b5600fe75c1269ff75d6a52157403151ec","id":"IN-MAL-2026-003661","versions":["1.0.3"],"modified_time":"2026-05-21T00:47:40Z","import_time":"2026-05-26T05:51:03.830479043Z"},{"source":"amazon-inspector","sha256":"13ef49a756cfc296c2bc5578b3ab8329ba99a9b0a4502b4fdd9c86a9187a0e6d","versions":["1.0.21"],"id":"IN-MAL-2026-003676","modified_time":"2026-05-21T01:12:58Z","import_time":"2026-05-26T05:51:05.443249714Z"},{"source":"amazon-inspector","sha256":"3e5579da454e7d043624efd86c47d8717fe07701c5a2d3beb6c94015386fcf28","id":"IN-MAL-2026-003680","versions":["1.0.32"],"modified_time":"2026-05-21T01:16:17Z","import_time":"2026-05-26T05:51:05.943992602Z"},{"source":"amazon-inspector","sha256":"9a0ed01a6aa9c3cdc81804f81910f7090283a8728b9e3e627d09f4a7b41bb7c4","versions":["1.0.44"],"id":"IN-MAL-2026-003699","modified_time":"2026-05-21T01:38:37Z","import_time":"2026-05-26T05:51:08.182781836Z"},{"source":"amazon-inspector","sha256":"e681f30e01289823cdbf587cf07a9f23ee0e501825ef76fe59e2cb548d046e8e","id":"IN-MAL-2026-003697","versions":["1.0.39"],"modified_time":"2026-05-21T01:36:18Z","import_time":"2026-05-26T05:51:07.961732741Z"},{"source":"amazon-inspector","sha256":"eb91a035358fe17af5a78c1b658a5e68d42d61cd9f2c881e388982016890e51d","id":"IN-MAL-2026-003669","versions":["1.0.11"],"modified_time":"2026-05-21T01:06:11Z","import_time":"2026-05-26T05:51:04.668903871Z"},{"source":"amazon-inspector","sha256":"0719289be3acd1ec8a27d373db5a1e9984d9eb52b5b77017c459ffa6046b1dec","id":"IN-MAL-2026-003674","versions":["1.0.41"],"modified_time":"2026-05-21T01:09:11Z","import_time":"2026-05-26T05:51:05.221030276Z"},{"source":"amazon-inspector","sha256":"0d84d0655306e0d918ad757c25e5ba8dcdd108f1e19e419dad84b506e3a6d595","id":"IN-MAL-2026-003668","versions":["1.0.7"],"modified_time":"2026-05-21T01:02:18Z","import_time":"2026-05-26T05:51:04.571978181Z"},{"source":"amazon-inspector","sha256":"4c6a0572fa8ed19e15941d846286b3e0e89eb65126b57a3e59e471a8270b21dc","id":"IN-MAL-2026-003679","versions":["1.0.28"],"modified_time":"2026-05-21T01:16:02Z","import_time":"2026-05-26T05:51:05.810940796Z"},{"source":"amazon-inspector","sha256":"a612a02d7651ed5df93e06620bb17ebd0d9f994773dde779696ba5017fda3ba8","id":"IN-MAL-2026-003675","versions":["1.0.36"],"modified_time":"2026-05-21T01:10:06Z","import_time":"2026-05-26T05:51:05.335958595Z"},{"source":"amazon-inspector","sha256":"e7a861b60926034ce75e754ed3dd0ae77a492ddaf53956f57a9baa7ec6808ade","versions":["1.0.40"],"id":"IN-MAL-2026-003683","modified_time":"2026-05-21T01:23:07Z","import_time":"2026-05-26T05:51:06.314484632Z"},{"source":"amazon-inspector","sha256":"0bbc888557128dba7e0032db52d7775f931206c90d61fa1277ceca960b7deeeb","id":"IN-MAL-2026-003678","versions":["1.0.29"],"modified_time":"2026-05-21T01:15:58Z","import_time":"2026-05-26T05:51:05.650075037Z"},{"source":"amazon-inspector","sha256":"2fdf0c768efc457390a8facb0bd5470f23221e9e14c861fbd02c05d6a12b62c7","id":"IN-MAL-2026-003665","versions":["1.0.0"],"modified_time":"2026-05-21T00:53:22Z","import_time":"2026-05-26T05:51:04.263231687Z"},{"source":"amazon-inspector","sha256":"3254c77b88c0f86ff3e1196c92f1d201d7d3953c221da804c0743fae2f75fa34","id":"IN-MAL-2026-003677","versions":["1.0.19"],"import_time":"2026-05-26T05:51:05.545734349Z","modified_time":"2026-05-21T01:13:12Z"},{"source":"amazon-inspector","sha256":"568ac0d3ede37787c50defca157735a92dba2ba3e9da10cecc68ca857378186a","versions":["1.0.42"],"id":"IN-MAL-2026-003695","modified_time":"2026-05-21T01:34:14Z","import_time":"2026-05-26T05:51:07.750784338Z"},{"source":"amazon-inspector","sha256":"5c88b783d3aae83a833d2b018530ec7e84127eb8dc4978a440c886bc0d9f16cf","versions":["1.0.30"],"id":"IN-MAL-2026-003685","modified_time":"2026-05-21T01:24:17Z","import_time":"2026-05-26T05:51:06.546421085Z"},{"source":"amazon-inspector","sha256":"6a5f35198cd0cf35ec78e2ba3f0cd4aa93637d5871b3883b3f3b09010d454e0c","id":"IN-MAL-2026-003670","versions":["1.0.15"],"modified_time":"2026-05-21T01:06:26Z","import_time":"2026-05-26T05:51:04.761313226Z"},{"source":"amazon-inspector","sha256":"980aaaaa691abe7b1a03a210c72f6af350b346fee02d1f1974efe4c13aa6e297","id":"IN-MAL-2026-003673","versions":["1.0.8"],"modified_time":"2026-05-21T01:08:01Z","import_time":"2026-05-26T05:51:05.122127462Z"},{"source":"amazon-inspector","sha256":"a180a386cdea43b046b780c90a7bd881bf4eb10de44667a5ea7128bb382eef48","id":"IN-MAL-2026-003684","versions":["1.0.38"],"import_time":"2026-05-26T05:51:06.416081933Z","modified_time":"2026-05-21T01:23:57Z"},{"source":"amazon-inspector","sha256":"2a813bc4a209e75b50151451de1c2a3c4a7e916b181b314416eafc43492b4eb5","id":"IN-MAL-2026-003666","versions":["1.0.1"],"modified_time":"2026-05-21T00:58:08Z","import_time":"2026-05-26T05:51:04.358282759Z"},{"source":"amazon-inspector","sha256":"3120abdc4b5c0be556856910dca5f35512bff8ac46d695a8f18a1311547f38af","id":"IN-MAL-2026-003682","versions":["1.0.37"],"modified_time":"2026-05-21T01:19:35Z","import_time":"2026-05-26T05:51:06.202120389Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.35"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.31"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.16"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.33"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.43"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.21"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.32"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.44"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.39"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.11"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.41"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.28"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.36"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.40"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.29"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.19"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.42"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.30"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.15"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.38"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/n8n-nodes-pentest-rce/v/1.0.37"}],"affected":[{"package":{"name":"n8n-nodes-pentest-rce","ecosystem":"npm","purl":"pkg:npm/n8n-nodes-pentest-rce"},"versions":["1.0.35","1.0.31","1.0.16","1.0.33","1.0.43","1.0.3","1.0.21","1.0.32","1.0.44","1.0.39","1.0.11","1.0.41","1.0.7","1.0.28","1.0.36","1.0.40","1.0.29","1.0.0","1.0.19","1.0.42","1.0.30","1.0.15","1.0.8","1.0.38","1.0.1","1.0.37"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/n8n-nodes-pentest-rce/MAL-2026-4617.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-GP878YxMaWJN0yvgSQhZjxLT3Y/Hlh97hVL+k1csdz2WJPQiSCKKVhUctiEhHJYby7+NBn0DAOM0bhtIEEO6CA==","sha1":"1d6911b51d358d66274321ba406dd761147e1c12"},"filename":"n8n-nodes-pentest-rce-1.0.35.tgz"}],"evidence_files":[{"sha256":"fd3f685fb1c0257614f7ed6adf841418bec9824b6be984bcb6da755af0389f14","path":"dist/PentestNode.node.js","tlsh":"9901c2101deb56b467b290906f13956bb076ef07a025e4be774ccf1fae94804c0959ad"},{"sha256":"176af866ce0cac8afe5ca346f90b7067c51b9962a6e6c53569cf0931121f914e","path":"package.json","tlsh":"a3d0a7294c13461726c845a81c555912b6214e4b918cb814b397542c57dda7644bd24d"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}