{"id":"MAL-2026-5624","summary":"Malicious code in edu-npm-postinstall-demo2 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (ce30f195fb63661526196defd7d613a58ded58acd1208989400bf6267de6bfb1)\nOn `npm install`, postinstall.js reads the installer's `.env` file from INIT_CWD, harvests environment variable values (DEMO_-prefixed), collects host identifiers via os.hostname() and os.platform(), and POSTs the combined payload to a hardcoded ngrok tunnel at https://scary-blooper-brewery.ngrok-free.dev/collect. The package describes itself as an educational demo, but the destination is an anonymous, author-mutable tunneling host with no publisher relationship — the canonical install-time exfiltration shape. Additionally, package.json declares a `build` script pointing at scripts/mine_cyrpto.js (misspelled 'crypto'); the file is currently empty and not auto-invoked, but its presence in the tarball is a quality/intent signal alongside the exfil. Installer harm is concrete and automatic on default install: filesystem read of installer secrets + host fingerprinting + outbound transmission to an attacker-style endpoint.\n\n## Source: ossf-package-analysis (fb14831b7d92cfc67e25e029a80fd7a2fb855e68863a0f08f71e8d5fe41fe7ea)\nThe OpenSSF Package Analysis project identified 'edu-npm-postinstall-demo2' @ 1.0.3 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-06-12T20:01:50.907949465Z","published":"2026-06-11T08:25:49Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.3"],"sha256":"fb14831b7d92cfc67e25e029a80fd7a2fb855e68863a0f08f71e8d5fe41fe7ea","source":"ossf-package-analysis","modified_time":"2026-06-11T08:25:49Z","import_time":"2026-06-11T09:36:25.905564153Z"},{"sha256":"af1015b5508b476dcc0e9aec7c5692f2a296e4cf4ae25a6190c767fd4fe73ef8","versions":["1.0.3"],"id":"IN-MAL-2026-006020","source":"amazon-inspector","modified_time":"2026-06-12T19:07:27Z","import_time":"2026-06-12T19:43:59.012994271Z"},{"source":"amazon-inspector","versions":["1.0.2"],"id":"IN-MAL-2026-006018","sha256":"ce30f195fb63661526196defd7d613a58ded58acd1208989400bf6267de6bfb1","modified_time":"2026-06-12T19:07:26Z","import_time":"2026-06-12T19:43:58.808709978Z"},{"source":"amazon-inspector","versions":["1.0.3"],"id":"IN-MAL-2026-006017","sha256":"4ede37dc48469ec273b470e4b74c65d4f7dfc5a19afac08339287ba16cd0a46a","modified_time":"2026-06-12T19:07:25Z","import_time":"2026-06-12T19:43:58.696694968Z"},{"source":"amazon-inspector","versions":["1.0.1"],"id":"IN-MAL-2026-006012","sha256":"8c1c93fac029298c9951ee680beaec72a89851dd5d6fdabcce01b740d500ef20","modified_time":"2026-06-12T19:07:22Z","import_time":"2026-06-12T19:43:58.178231618Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/edu-npm-postinstall-demo2/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/edu-npm-postinstall-demo2/v/1.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/edu-npm-postinstall-demo2/v/1.0.1"}],"affected":[{"package":{"name":"edu-npm-postinstall-demo2","ecosystem":"npm","purl":"pkg:npm/edu-npm-postinstall-demo2"},"versions":["1.0.3","1.0.2","1.0.1"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"e17145c920f2526003eb73d4594f7476f235e2437814d9547e9e53801fc292897e6bab","path":"postinstall.js","sha256":"e33885a839811a2b8643a9de7a58b5667191089f7502bcc2299e499aa6a248cd"},{"tlsh":"46f08410cd101f33a9c8ae2b183a414ae4700c078918bc2837f750ac0b8f17b98bf67e","path":"package.json","sha256":"c61d2ed9b6bf687c2bb867d79bccb596b7b591bf2a8fc29f6629131c88b5160f"}],"domains":["scary-blooper-brewery.ngrok-free.dev"],"package_integrity":[{"hashes":{"sha512_sri":"sha512-zVNvLre9zYEkphTY9gLWzSZTEZKvBHUcNMIkCNamZJnLsjOLCc8UiNMk7oLWntMvEc6VYz/DzSTb+L6VW18D9A==","sha1":"a586db7459aaf4b80262d9977bfcd7ad520d48b6"},"filename":"edu-npm-postinstall-demo2-1.0.2.tgz"}]},"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/edu-npm-postinstall-demo2/MAL-2026-5624.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}