{"id":"MAL-2026-4627","summary":"Malicious code in onboardconnect-agent (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9c17efe362ab4daf81f1ee7efe462a256ba325562a255906102d10d4a9ee87e5)\nThe package's dist/setup.js script performs an HTTPS POST to https://oc-worker-tenant-api.wpolanco.workers.dev carrying values read from process.env, with additional fetch/POST sites further down the same file. dist/server.js contains multiple POST sinks and a ping invocation, while dist/crypto.js and dist/store.js wrap repeated Buffer.from(..., 'base64') decoding routines consistent with obfuscated payload handling. The destination is a personal *.workers.dev subdomain (wpolanco.workers.dev) that is not associated with any documented vendor publisher and is the canonical low-effort exfiltration host shape — anonymous, free, attacker-controlled, and trivially registered. No legitimate purpose for an 'onboard connect agent' to ship environment variables to a personal Cloudflare Worker exists; combined with the base64-decoding helpers in adjacent files this matches the data-exfiltration shape directly.\n","modified":"2026-05-27T00:32:07.231678473Z","published":"2026-05-22T15:00:53Z","withdrawn":"2026-05-26T18:48:19Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-24T22:46:37Z","import_time":"2026-05-26T05:52:49.726131147Z","versions":["1.1.24"],"sha256":"30e75809f132f2cac2c85cf0bb18b445a9df490ac709a2d42eab018f430f07af","id":"IN-MAL-2026-004554","source":"amazon-inspector"},{"modified_time":"2026-05-25T19:11:54Z","import_time":"2026-05-26T05:53:14.617708287Z","versions":["1.1.31"],"sha256":"35813ed05d8b88c8db8caf673571dbe285ceff43c5b93c9a5e85992383844fa5","id":"IN-MAL-2026-004767","source":"amazon-inspector"},{"modified_time":"2026-05-24T20:51:34Z","versions":["1.1.22"],"sha256":"4cda0c95b483c82968d2b75214fd2d06061eb09001d46bd5cac4b8517d34bdeb","import_time":"2026-05-26T05:52:49.391332586Z","id":"IN-MAL-2026-004551","source":"amazon-inspector"},{"modified_time":"2026-05-23T04:44:38Z","versions":["1.1.15"],"sha256":"5b9677346fc5c8f57ad8de388659543ce2ed5863428723484cd7dbfdc90f28b5","import_time":"2026-05-26T05:52:18.534440351Z","id":"IN-MAL-2026-004287","source":"amazon-inspector"},{"modified_time":"2026-05-23T04:49:48Z","versions":["1.1.16"],"sha256":"9c17efe362ab4daf81f1ee7efe462a256ba325562a255906102d10d4a9ee87e5","import_time":"2026-05-26T05:52:18.664704889Z","id":"IN-MAL-2026-004288","source":"amazon-inspector"},{"modified_time":"2026-05-24T19:11:42Z","sha256":"b02ef4a70a4d4322b88f002cd5151a3ad6a9036379c82d7febff362daf7dee97","import_time":"2026-05-26T05:52:47.341029206Z","versions":["1.1.21"],"id":"IN-MAL-2026-004532","source":"amazon-inspector"},{"modified_time":"2026-05-22T15:00:53Z","import_time":"2026-05-26T05:52:10.93673692Z","versions":["1.1.5"],"sha256":"c609b6742ce86266143c09e5e33fdc3cc3d4a65891fc2e7a73eb976d2a25b4d7","id":"IN-MAL-2026-004221","source":"amazon-inspector"},{"modified_time":"2026-05-25T19:19:51Z","sha256":"f0c350755d37ffa3c7c04f7dcfaa31c2c2b3fc201ec3f5ac23aa96b5568a176f","import_time":"2026-05-26T05:53:14.715082467Z","versions":["1.1.32"],"id":"IN-MAL-2026-004768","source":"amazon-inspector"},{"modified_time":"2026-05-24T23:41:42Z","sha256":"f1362c8a1baa1868bc39797b170ecd8018b1d5181b599cec13f52620836e13d0","import_time":"2026-05-26T05:52:50.11683154Z","versions":["1.1.25"],"id":"IN-MAL-2026-004557","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/onboardconnect-agent/v/1.1.24"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/onboardconnect-agent/v/1.1.31"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/onboardconnect-agent/v/1.1.22"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/onboardconnect-agent/v/1.1.15"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/onboardconnect-agent/v/1.1.16"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/onboardconnect-agent/v/1.1.21"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/onboardconnect-agent/v/1.1.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/onboardconnect-agent/v/1.1.32"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/onboardconnect-agent/v/1.1.25"}],"affected":[{"package":{"name":"onboardconnect-agent","ecosystem":"npm","purl":"pkg:npm/onboardconnect-agent"},"versions":["1.1.24","1.1.31","1.1.22","1.1.15","1.1.16","1.1.21","1.1.5","1.1.32","1.1.25"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"10f04c987c7295e052b2d8d21db7e64a63d0161b7401c7ada3289244cf59914d9470ec","sha256":"7bbbd06ec3c0412786ad6f3ff610eea18ad8e9bc597a37b366a29676ceefcb93","path":"dist/crypto.js"},{"tlsh":"0a82734a39f324368773a36d8f1b95053226c81b3909de59bf8c93549f4946c86f2bec","sha256":"9e933b378b7a0fc924056c6f21d42466c960a0911765309af3c6ff42cae2f706","path":"dist/server.js"},{"tlsh":"73f1b85444fb0a70193729a56f1700022b72e7072644fe9877dcc3a49fc5a1ada7b7ed","sha256":"ee16c358f465579cfc150f544e350209e36a90cfedc8d8bc134f76c54289108f","path":"dist/setup.js"},{"tlsh":"8ce1631709fb5e5342a3efa6c69b91016d24a24b3604cd88f56cf314ef1946898b36e8","sha256":"dab9df0e3c1e74e5d515ac01d82a3b8fbb3ceb77fd3171990397e12a1ce75c62","path":"dist/store.js"}],"package_integrity":[{"filename":"onboardconnect-agent-1.1.24.tgz","hashes":{"sha512_sri":"sha512-srwC0hn9FpRP96iFnneT+9H3goMA5/xqcoAePTk/oWMrMlP7jXu4lJqYnoUsehEyauqKOwaCJtJg0dN/VovCWw==","sha1":"57fdbdff35f154455cff19b645e8725e9d139f97"}}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/onboardconnect-agent/MAL-2026-4627.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}