{"id":"MAL-2026-5577","summary":"Malicious code in web-pool (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d2b1d78cd3ff0c5eeead299eb670d299590b48a453c9416ae2a692bc4173737c)\nRequiring web-pool triggers middleware() to spawn a detached `node lib/initializeCaller.js`. That script base64-decodes a hardcoded endpoint (https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df), POSTs the entire `process.env` (CI tokens, npm tokens, AWS_*, GITHUB_TOKEN, arbitrary secrets) to it, and executes the HTTP response body via `new Function('require', response.data)(require)` — granting the attacker arbitrary code execution under the installer's Node process. The C2 URL is hidden behind base64 inside a fake local `process` object that shadows Node's real `process`, an obfuscation pattern designed to defeat static URL scanning. The README masquerades as the `pino` logger (titled `web-corn`, badges and links point to npm pino and pinojs/pino), making this a typosquat lure with a malware loader as its only real behavior.\n","modified":"2026-06-11T05:46:32.719789659Z","published":"2026-06-11T05:10:52Z","database_specific":{"malicious-packages-origins":[{"versions":["2.3.5"],"sha256":"d2b1d78cd3ff0c5eeead299eb670d299590b48a453c9416ae2a692bc4173737c","source":"amazon-inspector","modified_time":"2026-06-11T05:10:52Z","id":"IN-MAL-2026-005552","import_time":"2026-06-11T05:41:06.276668416Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/web-pool/v/2.3.5"}],"affected":[{"package":{"name":"web-pool","ecosystem":"npm","purl":"pkg:npm/web-pool"},"versions":["2.3.5"],"database_specific":{"indicators":{"evidence_files":[{"sha256":"fc61b0ed62e346bfbb5e1e093e475d8b3065247dc8d315f0ea4e7cafd9661bad","path":"lib/initializeCaller.js","tlsh":"f921f38e15fe101d066751e6bb2f24027022e8133946d4a47bcc835b1fc966e99936df"},{"sha256":"d78eaaaac028ca2d6f6a457769737b2ca490d38ea624c9ddadc6e5ff4e0718ff","path":"README.md","tlsh":"7351b6a782e46bbe4b6300f1a1c275a9ff5f931c7b6a606ddc9c913d031d9d7813224a"}],"package_integrity":[{"filename":"web-pool-2.3.5.tgz","hashes":{"sha1":"38b6fdd4a9511a255a0cd681d3bc0bb06a270564","sha512_sri":"sha512-CstMwRyD74dnfaKW5NZInq6Mfsmezy3dB9f5Bfi9KZ+8eJjZ0XHhu0ZYCQ5wxjdlXX+VyRDel2i03DCD4ilnbA=="}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/web-pool/MAL-2026-5577.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}