{"id":"MAL-2026-5578","summary":"Malicious code in webpack-cache-clean (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8f8656d094ec59721c08eb72a1ec8f1530cd07985edf705032926dd9a19461d9)\nOn `npm install`, the package runs a postinstall hook (`node -e \"require('./loader.js')\"`) that spawns a detached child process. The child decodes an obfuscated base64 URL (mislabeled as 'hex' with large whitespace padding) resolving to https://jsonkeeper.com/b/L435A, an anonymous JSON paste host, performs an HTTPS GET, extracts JavaScript source from a `manifest.session` field, writes it to a temp file, and `require()`s it — with no signature, hash, or pinned-version check. The fetched code runs with the installer's privileges and can be changed by the attacker between fetches. The package metadata is also inconsistent: the package name is `webpack-cache-clean`, the README is titled `webpack-cache-plugin`, the repository URL points at `webpack-tools/webpack-cache-plugin`, and the author is the generic `Webpack Tools` — a cover story to lure installers searching for legitimate webpack cache tooling. This satisfies install-time-rce: attacker-controlled, unpinned, obfuscated remote code execution fires automatically on default install.\n","modified":"2026-06-11T05:46:32.770524655Z","published":"2026-06-11T05:06:29Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-11T05:41:05.393584545Z","id":"IN-MAL-2026-005544","versions":["0.1.4"],"source":"amazon-inspector","sha256":"8f8656d094ec59721c08eb72a1ec8f1530cd07985edf705032926dd9a19461d9","modified_time":"2026-06-11T05:06:29Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/webpack-cache-clean/v/0.1.4"}],"affected":[{"package":{"name":"webpack-cache-clean","ecosystem":"npm","purl":"pkg:npm/webpack-cache-clean"},"versions":["0.1.4"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha1":"f8af520244d3e4fc3d3d97c52cfd19acf09d85fc","sha512_sri":"sha512-CVjFL89jerXWo89L992kc+1t7D9cwZVifX/9o5WKHaAubGZLNtHFl2W74pPx6rzy3xxaBksVQ4Olz+OZTN2luA=="},"filename":"webpack-cache-clean-0.1.4.tgz"}],"evidence_files":[{"tlsh":"e531789e1ba52334da70d3d683275426d6a3e6323341d6c0b65c54d20fa2270c2b3efc","sha256":"91bcbd111d8efdb3e486c7ff2ec7d1d8b8710b971f196d909748e33e8263e1a5","path":"loader.js"},{"tlsh":"79f0c0244a646d3319e042c9085093f1f72ace6b09407c894bd3002d868e5b2abfe36e","sha256":"4bf21b43417a589f79a919a35b947239528dd59a03747c2567a34e08f17e5ba3","path":"package.json"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/webpack-cache-clean/MAL-2026-5578.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}