{"id":"MAL-2026-5603","summary":"Malicious code in backup-my-data (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (de638457ace180ab303f4002aa27d9560f2caf6c8f28d04ba5521486d65d34b6)\nThe package's collect.js loads child_process, fs, os, http and https, gathers host identifiers via os.hostname() and os.homedir(), enumerates filesystem paths via fs.existsSync, and POSTs the collected data to the hardcoded endpoint http://aab.sportsontheweb.net (collect.js line 13, POST at line 366). The package's stated purpose ('backup-my-data') is a cover; the runtime behavior is system-information harvesting and exfiltration to an attacker-controlled host that has no relationship to the package name or any documented backup service. Installing or loading this package leaks host identity and filesystem reconnaissance data to a third-party endpoint.\n","modified":"2026-06-11T08:01:30.331002272Z","published":"2026-06-11T06:53:18Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.9"],"modified_time":"2026-06-11T06:53:18Z","source":"amazon-inspector","import_time":"2026-06-11T07:49:38.352965425Z","sha256":"3184167d3b1cd30c17f285b5bc511295b55de4b37de52a228cda9f1b80044247","id":"IN-MAL-2026-005663"},{"versions":["1.0.2"],"modified_time":"2026-06-11T06:53:24Z","import_time":"2026-06-11T07:49:38.730593844Z","source":"amazon-inspector","sha256":"909d29560b504f0b737cee3d66f3b32cc61931824e7547c44fb1b30d4958c427","id":"IN-MAL-2026-005665"},{"versions":["1.0.1"],"modified_time":"2026-06-11T06:53:18Z","source":"amazon-inspector","import_time":"2026-06-11T07:49:38.647773894Z","sha256":"de638457ace180ab303f4002aa27d9560f2caf6c8f28d04ba5521486d65d34b6","id":"IN-MAL-2026-005664"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/backup-my-data/v/1.0.9"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/backup-my-data/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/backup-my-data/v/1.0.1"}],"affected":[{"package":{"name":"backup-my-data","ecosystem":"npm","purl":"pkg:npm/backup-my-data"},"versions":["1.0.9","1.0.2","1.0.1"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha1":"6733eedc8da2b17c5419f34447f6e1aa060d8e58","sha512_sri":"sha512-vUzE66lKCmekDjyYXYeZ7U6iE7Kd4+v6qPxD7UNIvf9/bhC+10G5IOYC1hGbdCXqSougY9bMggh1GBZvEzbc1w=="},"filename":"backup-my-data-1.0.9.tgz"}],"evidence_files":[{"path":"collect.js","sha256":"57adc4f1f15fdf470534e2b357c51a4c6b50bd6c281237638be2ff781a429fb8","tlsh":"cea21e5b14cb351ac747e70ad7670014ad88abb3b113bb41bb8c9bd41f2ad2663d09f9"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/backup-my-data/MAL-2026-5603.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}