{"id":"MAL-2026-4703","summary":"Malicious code in veteran (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (70a20dd9f8d6a9df01d766c25693711d90e4303e3c68fa371f0b842f83c485b4)\nOn `npm install`, the package's postinstall hook (`install.js`, registered via `package.json` line 10 `\"postinstall\": \"node install.js\"`) downloads a platform-specific executable from `https://laogou.us/download/veteran/v1.0.0/veteran_1.0.0_\u003cplatform\u003e_\u003carch\u003e.{tar.gz,zip}` (install.js:13 `const DOWNLOAD_BASE_URL = 'https://laogou.us/download/veteran'`), extracts it via shell `tar`/`unzip`, `chmod 0o755`s it (install.js:165), and immediately executes it (install.js:170 `execSync(\"${BIN_PATH}\" version\",...)`). The download host `laogou.us` does not match the package's declared publisher/homepage (`github.com/yongjie0203/veteran`); the URL is not version-pinned to a hash or signature; no checksum or signature verification is performed on the fetched bytes; and source comments suggest the URL is meant to be swapped by future maintainers. The operator of `laogou.us` can therefore serve arbitrary native code to every installer, with the bytes executed under the installer's user on `npm install`. This matches the publisher-mismatched, unverified, mutable-host dropper pattern.\n","modified":"2026-05-26T06:03:02.783582371Z","published":"2026-05-21T16:28:03Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-22T12:08:42Z","import_time":"2026-05-26T05:52:07.751401281Z","versions":["1.0.5"],"source":"amazon-inspector","id":"IN-MAL-2026-004199","sha256":"2090d10d814f7a007b22aef6b4a02f936d6aa7c4d6aa3e33119cb4790b7a1cc7"},{"modified_time":"2026-05-21T16:28:04Z","import_time":"2026-05-26T05:51:32.946530679Z","versions":["1.0.3"],"source":"amazon-inspector","id":"IN-MAL-2026-003903","sha256":"32d36199543a5734d26e7afa06931d745a1bc1e45b6e381cf0b6de00569bec33"},{"modified_time":"2026-05-21T16:28:03Z","import_time":"2026-05-26T05:51:32.837610855Z","versions":["1.0.3"],"source":"amazon-inspector","id":"IN-MAL-2026-003902","sha256":"70a20dd9f8d6a9df01d766c25693711d90e4303e3c68fa371f0b842f83c485b4"},{"modified_time":"2026-05-22T12:08:42Z","import_time":"2026-05-26T05:52:07.866508734Z","versions":["1.0.5"],"source":"amazon-inspector","id":"IN-MAL-2026-004200","sha256":"8a0b963f374ca64c5f3c294b3479ec208aa4c4fd28e2fcc536f0a40f46589fe4"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/veteran/v/1.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/veteran/v/1.0.3"}],"affected":[{"package":{"name":"veteran","ecosystem":"npm","purl":"pkg:npm/veteran"},"versions":["1.0.5","1.0.3"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/veteran/MAL-2026-4703.json","indicators":{"domains":["laogou.us"],"package_integrity":[{"hashes":{"sha512_sri":"sha512-CvuPok1uJTY3yRHpvfTqlEcgSiSrNZV1PklJRMs74My+NjL/zTO1wXU5t5xzm2V2CXmJaIwVNtEBtj8qdSMiSQ==","sha1":"0052d8a2de42bc9f2899a68e58c9891116c1e26f"},"filename":"veteran-1.0.5.tgz"}],"evidence_files":[{"sha256":"3426e013b778c090d500dd32edb24ebd51bc8a508c0a34d2b8ac42a5d5fe2e67","path":"install.js","tlsh":"d9d176c95af3923147b3519a574b2412722b80132509da9c7aad83587fa2f64c1a27ff"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}