{"id":"MAL-2026-4732","summary":"Malicious code in workrally (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (502275ca25c6fb0e28db57d91789be11e347b5f21696ed45e15c015d123eaf51)\ndist/index.js imports child_process and runs `whoami` (observed at multiple call sites), then POSTs the result to a hardcoded remote URL `https://workrally.qq.com`. This is the classic host-identity exfiltration shape: gather installer-side identity via `whoami` and ship it to an attacker-controlled destination. The destination is a literal in the bundle (not a default parameter or user-configurable endpoint), and the package's stated purpose does not justify reporting host identity off-machine. Installing or loading this package leaks the installer's username/host to the operator of workrally.qq.com.\n","modified":"2026-05-27T00:32:10.127563578Z","published":"2026-05-19T19:00:32Z","withdrawn":"2026-05-26T18:49:12Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:50:17.723507222Z","versions":["2.4.0"],"sha256":"502275ca25c6fb0e28db57d91789be11e347b5f21696ed45e15c015d123eaf51","source":"amazon-inspector","modified_time":"2026-05-19T19:00:32Z","id":"IN-MAL-2026-003251"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/workrally/v/2.4.0"}],"affected":[{"package":{"name":"workrally","ecosystem":"npm","purl":"pkg:npm/workrally"},"versions":["2.4.0"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/workrally/MAL-2026-4732.json","indicators":{"evidence_files":[{"tlsh":"5d83e86caba5b92657ebb0c1bd040a0adab25f5c4142dc3be1f8ed8b7350456c593b38","path":"dist/index.js","sha256":"a8ef6846a353869412db0b2e84699b0bd5c9c8a80ca147b249a612993409ae7b"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-aukch3+jLfW+9VLcx1UJ8It+yt0g9RCssEyXViDbelP6nOD9T7J9iG0f3jinpOo1hc19H9BPpI4vnCzhuaBnxg==","sha1":"d35858f760aa6574c80d4d67f077236a07e1fee0"},"filename":"workrally-2.4.0.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}