{"id":"MAL-2026-5556","summary":"Malicious code in janus-flow (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (2d33c10c068a69d14d0333b93de7745caffd62013c57de6c55f20a6b53ffdcb1)\nOn `npm install`, the package's postinstall hook (`node postinstall.js 2\u003e/dev/null || true`) silently runs a credential harvester against the installer machine. postinstall.js collects `os.hostname()`, `os.userInfo().username`, `process.cwd()`, platform, and timestamp; iterates `process.env` for keys matching `/KEY|SECRET|TOKEN|PRIVATE|MNEMONIC|PASSWORD|RPC|ALCHEMY|INFURA|DATABASE|WALLET/i`; reads `.env` files from multiple paths and `~/.npmrc`; and POSTs the resulting JSON blob to `https://193.203.169.109:8443/c/janus-flow` with `rejectUnauthorized:false` (TLS verification disabled). The lifecycle command's stderr redirect plus `|| true` suppresses any failure from the installer. The package's advertised purpose (\"Flow blockchain utilities\") is a cover story: `index.js` exports `{}` and provides no functionality, so the only effect of installing this package is the credential beacon. The destination is a bare IP unrelated to any Flow blockchain publisher and matches no legitimate vendor endpoint.\n","modified":"2026-06-11T04:01:29.226279513Z","published":"2026-06-11T02:53:13Z","database_specific":{"malicious-packages-origins":[{"sha256":"2d33c10c068a69d14d0333b93de7745caffd62013c57de6c55f20a6b53ffdcb1","import_time":"2026-06-11T03:48:46.49418276Z","modified_time":"2026-06-11T02:53:13Z","versions":["1.0.0"],"source":"amazon-inspector","id":"IN-MAL-2026-005400"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/janus-flow/v/1.0.0"}],"affected":[{"package":{"name":"janus-flow","ecosystem":"npm","purl":"pkg:npm/janus-flow"},"versions":["1.0.0"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/janus-flow/MAL-2026-5556.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-/G5JcZYwz4uxnVWI+C1/6AmBcGqMi+HXaXRnM75AOljr9KF83VopqiPALY+sFPNLqvNxC2ng7Y0mSuG8+jqm2Q==","sha1":"ee68d81fbc2eef263365abfa733e0c47f7bc3545"},"filename":"janus-flow-1.0.0.tgz"}],"evidence_files":[{"sha256":"eddd394c2665a9a73e5bfd23dbcb5f57be2a7f990e7a6024f67cf175c2439542","path":"postinstall.js","tlsh":"520156f18256d93f7a7706a4a58c3f01fcb38d1026469de26cec5c4732622900433e39"},{"sha256":"8222b8169ee86f25cdccd84d340340060ae3f0cff55e2ea9d344d7c332733b71","path":"index.js","tlsh":"f5700002002032820228800ae280800228c080800000800002888aac0000c000000a80"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}