{"id":"MAL-2026-5461","summary":"Malicious code in fhirproxy-utils (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (405cf847121f4bfed32bc5679a40b64c1338b142af75823ef9583944a7ae7b5a)\nOn `npm install` (via the `prepare` lifecycle hook and many other lifecycle aliases) and on `require()`, index.js performs broad reconnaissance and exfiltration of the installer's environment. It collects hostname, username, architecture, working-directory tree, network interfaces, /etc/resolv.conf, process list,.git/HEAD, UID/GID, project package.json metadata, ~/.npmrc registry/scope configuration, the developer's git identity (via `git config --global user.email`), CI/CD environment variables (GITHUB_*, GITLAB_*, AWS_*, CIRCLE_*, etc.), and the presence of ~/.ssh, ~/.aws, ~/.kube. When running on a cloud instance it queries the IMDS endpoint at 169.254.169.254 (stored as the decimal-encoded host `2852039166`), obtains an IMDSv2 token, fetches the IAM role and temporary STS credentials, and includes the first 40 characters of the access token in the payload; equivalent paths exist for Azure and GCP metadata. It also performs DNS reconnaissance against internal-only hostnames (kubernetes.default.svc.cluster.local, vault.internal, consul.service.consul, gitlab.local, jenkins.local, redis.internal, etc.) to map the victim's internal network. Collected data is base64-encoded, fragmented, and exfiltrated via chunked HTTPS GET requests to `momo-rest.lapxa354.workers.dev` (a Cloudflare Workers C2 endpoint), with the destination obscured via `Buffer.from(\"bW9tby1yZXN0LmxhcHhhMzU0LndvcmtlcnMuZGV2\", \"base64\").toString()` at index.js:43. The package additionally squats common build-tool command names by declaring `bin` entries for webpack, vite, tsc/tsnode, jest, eslint, gulp, next, turbo, and prettier — all aliased to index.js — and spawns the real local tool (e.g. `webpack-cli`) afterwards to mask the malicious behavior when invoked via PATH or `npx`.\n","modified":"2026-06-09T19:01:27.883282912Z","published":"2026-06-09T18:03:59Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-005167","sha256":"405cf847121f4bfed32bc5679a40b64c1338b142af75823ef9583944a7ae7b5a","versions":["1.0.8"],"import_time":"2026-06-09T18:50:21.700896197Z","source":"amazon-inspector","modified_time":"2026-06-09T18:03:59Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/fhirproxy-utils/v/1.0.8"}],"affected":[{"package":{"name":"fhirproxy-utils","ecosystem":"npm","purl":"pkg:npm/fhirproxy-utils"},"versions":["1.0.8"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/fhirproxy-utils/MAL-2026-5461.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"tlsh":"1d13a6195136261586b1f7fb9a435825fb3762a3224286c43eec4b446fb316891e2ffc","path":"index.js","sha256":"32507e950dee91e172fba9373a91161de2d849a4e95b767f88033cfe9eefd846"},{"tlsh":"3351ceb3deb10e2254bd9ee5946a2d89f5d3473f20580487f0bd126dabf26a1c8cdb04","path":"package.json","sha256":"fe6f2b33ead4704b8ce4ab4ce005c2da52d7a62526cb776fa729a95e67be4129"}],"package_integrity":[{"hashes":{"sha1":"bf67a8e960798115de625ac7257998a789040105","sha512_sri":"sha512-c0rjns1NsAjDM4UUU7ZyyMg1Hp3x+nFtBfUNgZayoZkfRBLyEa1eSRS5ZuCGRUM1siVxEoLaUQ7Fi3uXDrDBaw=="},"filename":"fhirproxy-utils-1.0.8.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}