{"id":"MAL-2026-5609","summary":"Malicious code in clean-my-pc (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8139d8347bc83b12e276e481509aaca6af69adff21f7df1658a6eeadd31562f6)\nThe package's collect.js imports child_process, fs, http, https, and os, gathers host identifiers via os.hostname() and os.homedir(), reads files from the local filesystem (fs.existsSync checks at lines 20 and 27), and POSTs the collected data to a hardcoded external endpoint at http://aab.sportsontheweb.net (referenced at line 13, with the POST request at line 366). The destination domain is unrelated to any legitimate PC-cleaning utility purpose and matches the structural fingerprint of a host-information / filesystem exfiltration beacon: hardcoded non-publisher C2 + system identity collection + outbound POST. Installing or loading this package causes the installer's hostname, home-directory contents indicator, and other host data to be transmitted to the attacker-controlled endpoint over plaintext HTTP.\n","modified":"2026-06-11T08:01:31.423362127Z","published":"2026-06-11T06:52:05Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.5"],"source":"amazon-inspector","id":"IN-MAL-2026-005660","import_time":"2026-06-11T07:49:38.073051906Z","sha256":"0643990e40a068c184fc70b258368e07ce0b7cb6b81478a82da8e76e169dfbfe","modified_time":"2026-06-11T06:52:08Z"},{"versions":["1.0.2"],"source":"amazon-inspector","modified_time":"2026-06-11T06:52:14Z","import_time":"2026-06-11T07:49:38.248936275Z","sha256":"5f90d40c1809406517b17c6d51086a8bc1c09492413d8db182dbb29de829bd37","id":"IN-MAL-2026-005662"},{"versions":["1.0.1"],"source":"amazon-inspector","id":"IN-MAL-2026-005661","import_time":"2026-06-11T07:49:38.163022943Z","sha256":"8139d8347bc83b12e276e481509aaca6af69adff21f7df1658a6eeadd31562f6","modified_time":"2026-06-11T06:52:13Z"},{"versions":["1.0.4"],"source":"amazon-inspector","modified_time":"2026-06-11T06:52:06Z","import_time":"2026-06-11T07:49:37.981203016Z","sha256":"9c0da96e59f83bd52a688d90504e873aa5c0c8ed2ec5fc37c0d35b35ac6dc190","id":"IN-MAL-2026-005659"},{"versions":["1.0.9"],"source":"amazon-inspector","id":"IN-MAL-2026-005657","import_time":"2026-06-11T07:49:37.799536831Z","sha256":"cb6ce87f95f3510f104ff3b69e555f9dcff24c2b4333967e21f2c2264b673c3a","modified_time":"2026-06-11T06:52:05Z"},{"versions":["1.0.3"],"source":"amazon-inspector","id":"IN-MAL-2026-005658","import_time":"2026-06-11T07:49:37.882010642Z","sha256":"4110a6fab49f763df4587e8710ef8e4e0ec5823c7a65cff1462ccdcc6a95da5b","modified_time":"2026-06-11T06:52:06Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/clean-my-pc/v/1.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/clean-my-pc/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/clean-my-pc/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/clean-my-pc/v/1.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/clean-my-pc/v/1.0.9"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/clean-my-pc/v/1.0.3"}],"affected":[{"package":{"name":"clean-my-pc","ecosystem":"npm","purl":"pkg:npm/clean-my-pc"},"versions":["1.0.5","1.0.2","1.0.1","1.0.4","1.0.9","1.0.3"],"database_specific":{"indicators":{"evidence_files":[{"sha256":"2234a3b6d47ca087b14e0eac39c71d339f0e1f69e2deee983dc5df7e59b6f433","tlsh":"2ca22e5b14cb351ac747e70ad7670014ad88afb3b112bf41bb8c9bd41f2ad16a2d09f9","path":"collect.js"}],"package_integrity":[{"filename":"clean-my-pc-1.0.5.tgz","hashes":{"sha1":"bdd6126736ed4667fa52fbe077f157493bef3246","sha512_sri":"sha512-l9dv2bttx+7H778DOJA5L7fIEbXTurh0IagWw65Dq7RDulctsIo5qDSurP4Lteq3iVs9Ox2En2VfbKir1AHY5g=="}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/clean-my-pc/MAL-2026-5609.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}