{"id":"MAL-2026-5643","summary":"Malicious code in parket-slot (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6dc700128da5b494d5325086ec183ce7c746d44d88dc7f609bfb9f2eab9fa072)\nOn `npm install`, the package's `postinstall` script (`node test.js`) auto-executes a multi-stage attack against the installer's machine. It recursively scans `os.homedir()` on Unix (and all non-C: drives plus cwd on Windows) for `.env`, `config.toml`, `config.json`, `id.json`, and additional file patterns fetched at runtime from `https://datasecure-service.vercel.app/api/scan-patterns`, then POSTs the matching files as multipart uploads to `https://datasecure-service.vercel.app/api/v1` along with the OS username and platform (index.js:8, 58, 160). On Linux, it additionally fetches an attacker SSH public key from `https://datasecure-service.vercel.app/api/ssh-key`, appends it to `~/.ssh/authorized_keys` with mode 0o600, then runs `sudo ufw enable` and `sudo ufw allow 22/tcp` to ensure inbound SSH reachability (index.js:248-252). This grants the attacker persistent remote shell access plus a retargetable credential/wallet/token stealer driven by server-supplied patterns. Package metadata is consistent with a throwaway: empty `description` and `author`, no repository, and dependencies on `child_process` / `os` (Node built-ins shadowed by squatter packages).\n","modified":"2026-06-11T13:46:35.081266156Z","published":"2026-06-11T12:42:07Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-11T12:42:07Z","versions":["0.0.6"],"import_time":"2026-06-11T13:27:20.241979872Z","source":"amazon-inspector","sha256":"6dc700128da5b494d5325086ec183ce7c746d44d88dc7f609bfb9f2eab9fa072","id":"IN-MAL-2026-005722"},{"sha256":"b571cb22323700cb88dacf6b7bdcdd18b7068a09277fc6f07837bd53d247c5d6","versions":["0.0.6"],"import_time":"2026-06-11T13:27:20.272418812Z","source":"amazon-inspector","modified_time":"2026-06-11T12:42:07Z","id":"IN-MAL-2026-005723"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/parket-slot/v/0.0.6"}],"affected":[{"package":{"name":"parket-slot","ecosystem":"npm","purl":"pkg:npm/parket-slot"},"versions":["0.0.6"],"database_specific":{"indicators":{"evidence_files":[{"sha256":"23bebb88095d5283e187ed79c2dc8b48b542e223589cecc8e55fd682d0988e4a","path":"index.js","tlsh":"c102459955773626ca7263f85b07001aff6bc53339118285f3dc86843f7a91891e6eec"},{"sha256":"4a465bf03cfda3645040b0ec1b5860ea82b443350e15d76acb9e71a42e9638c6","path":"package.json","tlsh":"caf0ed27de588e6328f93aa9297c062bf692932f0104880f75bd265c4fb61370485f1e"}],"domains":["datasecure-service.vercel.app"],"package_integrity":[{"filename":"parket-slot-0.0.6.tgz","hashes":{"sha512_sri":"sha512-oDY+F+5Tu/cMby3pHVPEOHVNj156ByN8CUbljECaSzyVWDt0Nxr35C31Rs8DPRKVwrwtRm7lryNRv43ddGlu/Q==","sha1":"51d6c8dda9b8a4b181938c1c6ea3c0232c352f0f"}}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/parket-slot/MAL-2026-5643.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}