{"id":"MAL-2026-4783","summary":"Malicious code in @iola_adm/iola-cli (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6e28a7ca88c4000d6efee1c0e324c8f28bebf03ef988e2ac3aa437857f34ee08)\nsrc/cli.js contains a hardcoded endpoint https://apiiola.yasg.ru referenced multiple times (lines 1, 2, 198) and invoked via fetch() at line 256, in code paths that read process.env. The destination domain is a non-descriptive third-party host on the.ru TLD with no relationship to the package's apparent identity (@iola_adm/iola-cli) or any documented publisher infrastructure. The combination of a hardcoded foreign C2-shaped destination, fetch() calls into it, and process.env reads in the same file matches the active-attack/exfiltration shape: any installer who runs the CLI will have environment data shipped to an attacker-controlled endpoint.\n","modified":"2026-05-27T00:31:56.179069953Z","published":"2026-05-26T07:17:56Z","withdrawn":"2026-05-26T18:05:07Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","versions":["0.1.2"],"id":"IN-MAL-2026-004859","sha256":"6e28a7ca88c4000d6efee1c0e324c8f28bebf03ef988e2ac3aa437857f34ee08","modified_time":"2026-05-26T07:17:56Z","import_time":"2026-05-26T07:48:28.543552411Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@iola_adm/iola-cli/v/0.1.2"}],"affected":[{"package":{"name":"@iola_adm/iola-cli","ecosystem":"npm","purl":"pkg:npm/%40iola_adm%2Fiola-cli"},"versions":["0.1.2"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"tlsh":"6a02920068f5163202ab71548c4fa80932be0b16344dfe54bb3c81d46f9ec39e5b7dae","path":"src/cli.js","sha256":"0471a7288ee29c8036f82e9cdd23ad6d31d5c7f8961d7104bb4e0db49bea2b33"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-Pjz3nT8S2qB4jY+uiPVPr3dB65Byn3DeUMfSjTvIp9gzz3Ih21S9IAYUt+LyfXIGgfzWALKEcWEzDC7OhKcDGQ==","sha1":"393adf16e360f5638d67941970a43952b7999abc"},"filename":"iola-cli-0.1.2.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@iola_adm/iola-cli/MAL-2026-4783.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}