{"id":"MAL-2026-5579","summary":"Malicious code in webpack-cache-cycle (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (82fa37e2478a7109e376e3a062ccb203806511033930eb7390e45fe7ef404b81)\nOn `npm install`, package.json's `postinstall` hook runs `node -e \"require('./loader.js')\"`. loader.js spawns a detached node process that decodes a hex-encoded URL (https://jsonkeeper.com/b/L435A — an anonymous, mutable paste host), performs an HTTPS GET, writes the response's `session` field to a temporary.js file, and `require()`s it — executing attacker-controlled JavaScript on the installer's machine. The URL is obfuscated as a hex literal padded with whitespace inside `Buffer.from(...)` to evade naive string scanners. The detached spawn lets `npm install` exit cleanly while the dropper continues asynchronously. The package's advertised purpose is a webpack cache plugin, which does not justify any network access at install time. The package name `webpack-cache-cycle` and README title `webpack-cache-plugin` impersonate legitimate webpack tooling, with placeholder author metadata (`Webpack Tools`) and a non-existent GitHub repository.\n","modified":"2026-06-11T05:46:32.863668214Z","published":"2026-06-11T05:06:33Z","database_specific":{"malicious-packages-origins":[{"sha256":"028ed41ba1afb95bb86e0ae1536f3e9b4a2695fc8490b7d83033ac86440d59c5","import_time":"2026-06-11T05:41:05.871577895Z","source":"amazon-inspector","id":"IN-MAL-2026-005548","versions":["0.1.4"],"modified_time":"2026-06-11T05:06:34Z"},{"sha256":"82fa37e2478a7109e376e3a062ccb203806511033930eb7390e45fe7ef404b81","import_time":"2026-06-11T05:41:05.778008819Z","source":"amazon-inspector","id":"IN-MAL-2026-005547","versions":["0.1.4"],"modified_time":"2026-06-11T05:06:33Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/webpack-cache-cycle/v/0.1.4"}],"affected":[{"package":{"name":"webpack-cache-cycle","ecosystem":"npm","purl":"pkg:npm/webpack-cache-cycle"},"versions":["0.1.4"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/webpack-cache-cycle/MAL-2026-5579.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"domains":["jsonkeeper.com"],"evidence_files":[{"tlsh":"d2318a9e1ba52234da70d3d653235426d5a3e6327341e6c0b65c58d20fa2270d2b3dfc","sha256":"a5ead14cb7532cc465ecd9f3330450e8bd6c35fca6b9d9dd2411344828294e83","path":"loader.js"},{"tlsh":"a9f0c0284a646d3319e002c9085093f1f32ace6b09407c984bd3002c868e5b2abfe79e","sha256":"7c1cfc32811eaeeab6a2241b72d6962048542cfb6afa7c042ce469f1bdf9e7ff","path":"package.json"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-HTXEEsZQBAsvyKqTMd4+bkzmdmUxEW3HSNMXtrWJCghzTg9XI8436Q/I6xrDuCSJ4mseEmh+zwzkmxDG6ITkkw==","sha1":"c7adeafd40371553e4869ecb12567b99065f7067"},"filename":"webpack-cache-cycle-0.1.4.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}