{"id":"MAL-2026-5567","summary":"Malicious code in field-upload-tool (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (17402ad5019d1d433139ce2652d18d2493d87acfd1ede435a94c87eb421f25b1)\nOn every `npm install`, the package's `postinstall` lifecycle script in package.json spawns a detached, unref'd Node process that decodes a base64-encoded payload via `node -e Buffer.from(...,'base64').toString()` and executes it. The decoded payload enumerates the installer's full `process.env` (excluding only `npm_lifecycle*` keys, which routinely captures CI/CD secrets, cloud credential env vars, and access tokens), reads `os.networkInterfaces()`, `os.hostname()`, `os.userInfo().username`, the platform, and the current working directory, and HTTPS-POSTs the collected data to a hardcoded Lark/Feishu bot webhook at `open.larksuite.com/open-apis/bot/v2/hook/f1ad5ad2-4ba6-4c9d-afc2-0e908cba26a7` after a randomized 15–45 second delay. The payload also contains sandbox-evasion logic that aborts when canonical example AWS keys, dummy-token patterns (`R4nD0m`, `F4k3T0k3n`, `dummy`), or `NODE_OPTIONS=--require` analyzer hooks are detected, confirming hostile intent. The detached + unref'd spawn pattern is designed to outlive the install process and hide output.\n","modified":"2026-06-11T05:46:31.300849957Z","published":"2026-06-11T04:45:24Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","import_time":"2026-06-11T05:40:58.009263027Z","id":"IN-MAL-2026-005469","sha256":"17402ad5019d1d433139ce2652d18d2493d87acfd1ede435a94c87eb421f25b1","modified_time":"2026-06-11T04:45:24Z","versions":["1.10.0"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/field-upload-tool/v/1.10.0"}],"affected":[{"package":{"name":"field-upload-tool","ecosystem":"npm","purl":"pkg:npm/field-upload-tool"},"versions":["1.10.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/field-upload-tool/MAL-2026-5567.json","indicators":{"package_integrity":[{"hashes":{"sha1":"a531045509df07a479138be9c65f7f74f338ff89","sha512_sri":"sha512-lLZ7YdWqeFtwu3ZdaVxXIuPKKXS4MAvFLfZo+1xPhWXSY1Hbc8AbIIPTdWKESmmI+fwHSUjbYpSm0rnMLsfKag=="},"filename":"field-upload-tool-1.10.0.tgz"}],"evidence_files":[{"sha256":"2c56b1b1a0a961b825d9cf172a8cd51605cde5989c4972086a8fb1a1832a717f","tlsh":"a2027320ce458da302a8089665ac0e9302bd91574c96fc8d772c27bc5f6d29f63b5f9e","path":"package.json"}]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}