{"id":"MAL-2026-5604","summary":"Malicious code in cache-section-helper (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (cad3d2732831e4b798073aff289abd1abdbb718b4caa9e4f970a0dd3f7733653)\npackage.json declares a postinstall hook (`node -e \"require('./loader.js')\"`) that runs automatically on every `npm install`. loader.js hex-decodes the string `68747470733a2f2f6a736f6e6b65657065722e636f6d2f622f4c34333541` to the URL `https://jsonkeeper.com/b/L435A`, fetches a JSON document from that anonymous paste host, extracts a `manifest.session` field, writes it to a temporary file under `os.tmpdir()/wpc-*/cfg-\u003cts\u003e.js`, `require()`s it to execute the attacker-supplied JavaScript, then deletes the file to hide traces. The dropper is launched via `spawn(process.execPath, [tmpFile], { detached: true, stdio: 'ignore', cwd: os.tmpdir() }).unref()` so the child Node process outlives the npm install and runs without producing visible output. The package presents itself as a webpack caching helper (class `WebpackCachePlugin` in index.js, a README that instructs `npm install cache-helper` — a different name suggesting impersonation), but the advertised plugin code is trivial; the real behavior is the install-time dropper. Every installer fetches and executes attacker-controlled, mutable, unauthenticated code from a paste host with no integrity verification.\n","modified":"2026-06-11T08:01:30.890316489Z","published":"2026-06-11T07:24:13Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-11T07:49:42.720701973Z","modified_time":"2026-06-11T07:24:14Z","versions":["1.0.7"],"sha256":"4da4f8014e1d74a0329e5f414692fb9267f2eab553d393e47d810078f1708b06","id":"IN-MAL-2026-005702","source":"amazon-inspector"},{"import_time":"2026-06-11T07:49:42.598096171Z","modified_time":"2026-06-11T07:24:13Z","versions":["1.0.7"],"sha256":"cad3d2732831e4b798073aff289abd1abdbb718b4caa9e4f970a0dd3f7733653","id":"IN-MAL-2026-005701","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/cache-section-helper/v/1.0.7"}],"affected":[{"package":{"name":"cache-section-helper","ecosystem":"npm","purl":"pkg:npm/cache-section-helper"},"versions":["1.0.7"],"database_specific":{"indicators":{"evidence_files":[{"sha256":"a5ead14cb7532cc465ecd9f3330450e8bd6c35fca6b9d9dd2411344828294e83","tlsh":"d2318a9e1ba52234da70d3d653235426d5a3e6327341e6c0b65c58d20fa2270d2b3dfc","path":"loader.js"},{"sha256":"72ad22dc419e8c232e8d8d82b50e7926551b4cfa6e55f1b83e3f0c3fb2b2b5a1","tlsh":"a5f0c0384a60a9330bc102aa7c119241b7214e1f6704bc1916e7002e87de2f3d6ff3ad","path":"package.json"}],"domains":["jsonkeeper.com"],"package_integrity":[{"filename":"cache-section-helper-1.0.7.tgz","hashes":{"sha1":"411e631204f3369a31640efcdf9c8b71dae141e9","sha512_sri":"sha512-w+gWZ7eFUiuSypnHouvHCecRqeHnWMuH0bpd3MlEjnVHK5tF0UDQKiF6E8+/e0nvDUEyWGUBCLxpmNjj+feXzQ=="}}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cache-section-helper/MAL-2026-5604.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}