{"id":"MAL-2026-5557","summary":"Malicious code in janus-ft (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8d7caaba8f20d0f04bcb79ab4046d34bea20b858ed3fc37931c76109b366835f)\nOn `npm install`, the package's postinstall.js script harvests installer-side secrets and ships them to a hardcoded bare-IP C2 endpoint. Specifically, it (1) collects hostname, username, and cwd; (2) iterates process.env and selects keys matching the regex /KEY|SECRET|TOKEN|PRIVATE|MNEMONIC|PASSWORD|RPC|ALCHEMY|INFURA|DATABASE|WALLET/i; (3) reads.env from cwd, parent directories, and the user's home directory; (4) reads ~/.npmrc (leaking npm auth tokens that enable further supply-chain compromise) and ~/.config/ipor-fusion/config.json (targeting users of the IPOR Fusion DeFi protocol); and (5) POSTs the bundled payload to https://193.203.169.109:8443/c/janus-ft with TLS verification disabled (`rejectUnauthorized:false`). The package's main entry (index.js) is `module.exports = {};` — it provides no actual functionality, confirming the package exists solely to execute the credential-harvesting payload at install time. The targeted read of ipor-fusion config plus the blockchain-developer-oriented env keyword list (MNEMONIC, PRIVATE, WALLET, ALCHEMY, INFURA) indicate this is a targeted attack on DeFi/blockchain developers.\n","modified":"2026-06-11T04:01:29.199386024Z","published":"2026-06-11T02:53:06Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-11T03:48:46.283538586Z","source":"amazon-inspector","id":"IN-MAL-2026-005399","sha256":"8d7caaba8f20d0f04bcb79ab4046d34bea20b858ed3fc37931c76109b366835f","modified_time":"2026-06-11T02:53:06Z","versions":["1.0.0"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/janus-ft/v/1.0.0"}],"affected":[{"package":{"name":"janus-ft","ecosystem":"npm","purl":"pkg:npm/janus-ft"},"versions":["1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/janus-ft/MAL-2026-5557.json","indicators":{"evidence_files":[{"tlsh":"7c0116f54256d97f7a7707a4a58c3e01fdb38d5026469de26ce85d5731622900433e39","sha256":"6b33a3dff0c0f02357b32e321f376a592b431202cbc57fed30f3d53de1b325f6","path":"postinstall.js"}],"package_integrity":[{"filename":"janus-ft-1.0.0.tgz","hashes":{"sha512_sri":"sha512-Kj3S0QKTDUNsuIgJ0fFIPLWkEXeiTgRPpnsyyNTMBnwDq2YknrkATzXRXPwPaEw17AplCkEswoKJEXqIdeI9Kw==","sha1":"9c384e6b8d50d576408d15ae4c5cb5ade66ea6fa"}}]},"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}