{"id":"MAL-2026-4704","summary":"Malicious code in veteran-proxy (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e2528c02db9bcb4016a3347fdfae55c037c0462d6c0d29adb4245605424ad31f)\nOn `npm install`, the postinstall hook (`node install.js`) downloads a platform-specific binary archive from a hardcoded `https://your-website.com/downloads/veteran/...` URL, extracts it, chmods it 0755, and immediately executes it (`execSync(\"${BIN_PATH}\" version)`). The README advertises that binaries come from GitHub Releases at `github.com/yongjie0203/veteran/releases`, but the install script hardcodes `your-website.com` with a Chinese-language comment instructing the maintainer to replace it with their real download host — the package was published to npm with the placeholder in place. There is no hash or signature verification of the fetched bytes. Whoever registers or already controls `your-website.com` can ship arbitrary executables to every installer of this package, with full code execution on the installer's machine. Even absent registered malicious intent today, the install path is undefined: the destination domain is not under the publisher's control, the URL is unpinned, and the fetched binary's purpose (advertised as a SOCKS5 proxy) cannot be verified.\n","modified":"2026-05-26T06:03:02.702446657Z","published":"2026-05-21T15:21:38Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-003876","import_time":"2026-05-26T05:51:29.946997006Z","versions":["1.0.0"],"sha256":"b3eb733a784dc5c0ef6bcae90345204241a6b4e504f86e22fee7e66fae22376d","modified_time":"2026-05-21T15:23:25Z","source":"amazon-inspector"},{"versions":["1.0.0"],"import_time":"2026-05-26T05:51:29.843670511Z","id":"IN-MAL-2026-003875","sha256":"e2528c02db9bcb4016a3347fdfae55c037c0462d6c0d29adb4245605424ad31f","modified_time":"2026-05-21T15:21:38Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/veteran-proxy/v/1.0.0"}],"affected":[{"package":{"name":"veteran-proxy","ecosystem":"npm","purl":"pkg:npm/veteran-proxy"},"versions":["1.0.0"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-ZDxRP7sLaBoGHbO1SSCL/+RZzvsahvRPCRdZQlI+/3ZkPfxW1f/tdNkhxOSMhU+jxD84uBiFjW1JP/q8S9bgkQ==","sha1":"87fe450cded3ddd2d9dfcc5c0a3a120418f51d57"},"filename":"veteran-proxy-1.0.0.tgz"}],"domains":["your-website.com"],"evidence_files":[{"tlsh":"21d165c959f3923146b351de574f2016b22b80032509da5cbaad83587fa3f64c5a2bff","path":"install.js","sha256":"019fd9b9d08f3df3fe2b5d79dc3157452c8551aa62550beb39837672a2ad0fa6"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/veteran-proxy/MAL-2026-4704.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}