{"id":"MAL-2026-4626","summary":"Malicious code in omnius (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (2aceac0879b587bc711c3f156bf0de4bab90f3774816a6cbeb36a2cf9bb03e12)\nThe package's postinstall lifecycle hook launches dist/postinstall-daemon.cjs, which combines child_process.execSync, os.userInfo(), filesystem probes, and network primitives (require('http'), http.request, GET) consistent with a host-reconnaissance-and-exfiltration daemon. The script repeatedly invokes ping (5+ call sites at lines 184, 298, 465, 693, 741) for host/network discovery, and reads identity (os.userInfo at L160, L395) before sending HTTP requests. package.json declares both preinstall and postinstall hooks and additionally embeds curl invocations (line 142). A sibling Python script (dist/scripts/web_scrape.py) contains its own ping/wget/POST chain. The combination of: (a) a daemon installed via lifecycle hooks, (b) execSync-driven system enumeration, (c) outbound HTTP from install-time-reachable code, and (d) multiple curl shell-outs in package.json constitutes installer-side reconnaissance with network exfiltration. Installing this package will execute attacker-controlled probing/exfiltration on the installer's machine.\n","modified":"2026-05-27T00:32:07.226234709Z","published":"2026-05-21T00:38:55Z","withdrawn":"2026-05-26T18:47:47Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:52:25.201973024Z","versions":["1.0.153"],"sha256":"1a72f7f4c87504d318fda887255883803833c2f4ca996467217d759bbc668965","source":"amazon-inspector","modified_time":"2026-05-23T15:30:31Z","id":"IN-MAL-2026-004346"},{"import_time":"2026-05-26T05:52:26.553669486Z","versions":["1.0.155"],"sha256":"b3cc519a95afb055f43032cd7b0e9552fac64c552404ce9bc1a1530399730fd1","source":"amazon-inspector","modified_time":"2026-05-23T16:10:15Z","id":"IN-MAL-2026-004357"},{"versions":["1.0.147"],"import_time":"2026-05-26T05:52:15.442917667Z","sha256":"c38d8aee6b2de2fb5ec8ee9cf3e1aab47b8be658d4e555c01a9266face8f23ba","source":"amazon-inspector","id":"IN-MAL-2026-004261","modified_time":"2026-05-22T21:21:42Z"},{"versions":["1.0.136"],"import_time":"2026-05-26T05:51:03.715533986Z","sha256":"dc0cf5809bf2c7b1f2840592209c44e1e7d8933913d00d2861ce400802b755aa","source":"amazon-inspector","id":"IN-MAL-2026-003660","modified_time":"2026-05-21T00:38:55Z"},{"import_time":"2026-05-26T05:52:13.939893014Z","versions":["1.0.145"],"sha256":"e99944d68b58a61e9d867d2196d24769ec1946b7c8d609ca1c9307f4d2243149","source":"amazon-inspector","id":"IN-MAL-2026-004248","modified_time":"2026-05-22T19:31:42Z"},{"import_time":"2026-05-26T05:52:15.790515879Z","versions":["1.0.148"],"sha256":"2aceac0879b587bc711c3f156bf0de4bab90f3774816a6cbeb36a2cf9bb03e12","source":"amazon-inspector","id":"IN-MAL-2026-004264","modified_time":"2026-05-22T22:03:46Z"},{"import_time":"2026-05-26T05:51:15.707780856Z","versions":["1.0.140"],"sha256":"6a5b974a484b7443740543dc531dcaad2348d3edadf40ae977fbf869eed3b475","source":"amazon-inspector","modified_time":"2026-05-21T06:39:39Z","id":"IN-MAL-2026-003760"},{"import_time":"2026-05-26T05:51:16.220928412Z","versions":["1.0.141"],"sha256":"794e49a48f66ee210825a7ced539a54e843cec5c34039b4cc3c0075d14647850","source":"amazon-inspector","id":"IN-MAL-2026-003764","modified_time":"2026-05-21T06:46:40Z"},{"import_time":"2026-05-26T05:52:38.354929658Z","versions":["1.0.157"],"sha256":"93a7f2c08cabc3d13867b7fce6973109bf98f42ecce2e9343d08b7c7caf5a066","source":"amazon-inspector","modified_time":"2026-05-24T03:50:41Z","id":"IN-MAL-2026-004458"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/omnius/v/1.0.153"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/omnius/v/1.0.155"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/omnius/v/1.0.147"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/omnius/v/1.0.136"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/omnius/v/1.0.145"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/omnius/v/1.0.148"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/omnius/v/1.0.140"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/omnius/v/1.0.141"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/omnius/v/1.0.157"}],"affected":[{"package":{"name":"omnius","ecosystem":"npm","purl":"pkg:npm/omnius"},"versions":["1.0.153","1.0.155","1.0.147","1.0.136","1.0.145","1.0.148","1.0.140","1.0.141","1.0.157"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/omnius/MAL-2026-4626.json","indicators":{"evidence_files":[{"tlsh":"a9d2d675b6ea21343963e2bd4b5f50097a69f1133514de1078bc72586fcc82e02b6efa","sha256":"37cb864926ffabc825b48bd82b22e6308f07f9cde7e21944c27359fe025eb395","path":"dist/postinstall-daemon.cjs"},{"tlsh":"d643a435a916646af363c02e592781023725b85336866630b9cc77b46fdc87ac2f67fc","sha256":"f9be42693e75326307bb74e99f2aad68149890fae8042d22c7d25e7ea92df605","path":"dist/scripts/web_scrape.py"},{"tlsh":"70634b63be3a697a17dbc18332191075cf39909a55584814b0dccaed9b8dafc933f392","sha256":"3b2726737a53d8457287395a10e99e4dab399c887296c309da6c77edb33d4921","path":"package.json"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-QvB66UWpruNEW2CUuLNCm0d5dGUSRzjubdyXYpTakTqH/0qPY+91SwXVKf+T+7fsWjC2quI202V+KQy24zjKhA==","sha1":"3e158ce8da88df9ed3be134a5821ccb3eb1e064f"},"filename":"omnius-1.0.153.tgz"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}