{"id":"MAL-2026-5653","summary":"Malicious code in pc-optimizer (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (f046d16052b9121c55f2fd5e6eb2be90ce24e7b007efca3c2a9e7f64dab8f6bf)\nThe package's collect.js imports child_process, fs, http, https, and os, reads host identifiers via os.hostname() and os.homedir(), inspects local filesystem paths via fs.existsSync, and POSTs collected data to a hardcoded external endpoint at http://aab.sportsontheweb.net. The destination is not a registry, vendor SDK host, or documented service — it is an unrelated third-party domain bound to a POST in install/load-reachable code. The combination of system enumeration (hostname, homedir, child_process), filesystem inspection, and a hardcoded non-publisher exfiltration endpoint is the canonical host-information stealer fingerprint and provides direct attacker benefit (host fingerprinting + arbitrary collected data shipped off-host).\n","modified":"2026-06-11T15:01:29.349156575Z","published":"2026-06-11T13:28:04Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-11T13:28:04Z","sha256":"9f3f55c554f0b1b48f8ebaa1b8ee6a9d005c972fa06bef7c9727946e5d422aa4","import_time":"2026-06-11T14:48:05.794332855Z","id":"IN-MAL-2026-005748","versions":["1.0.1"],"source":"amazon-inspector"},{"versions":["1.0.2"],"sha256":"f046d16052b9121c55f2fd5e6eb2be90ce24e7b007efca3c2a9e7f64dab8f6bf","import_time":"2026-06-11T14:48:05.874007514Z","id":"IN-MAL-2026-005750","modified_time":"2026-06-11T13:28:07Z","source":"amazon-inspector"},{"versions":["1.0.9"],"sha256":"f1dd847960d4aa149ddf901c3b85fa93f3ef2b50d5dfeb64ba3b4599f23ed3aa","import_time":"2026-06-11T14:48:05.844910927Z","id":"IN-MAL-2026-005749","modified_time":"2026-06-11T13:28:05Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/pc-optimizer/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/pc-optimizer/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/pc-optimizer/v/1.0.9"}],"affected":[{"package":{"name":"pc-optimizer","ecosystem":"npm","purl":"pkg:npm/pc-optimizer"},"versions":["1.0.1","1.0.2","1.0.9"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"tlsh":"44a21e5b14cb351ac747e70ad7670014ad88abb3b113bb41bb8c9bd41f2ad2662d09f9","sha256":"463735e1a5b9150efad9ef66856033363d7ffb55490e84d1bf450c0e1406ef4d","path":"collect.js"}],"package_integrity":[{"filename":"pc-optimizer-1.0.1.tgz","hashes":{"sha512_sri":"sha512-rRfMT31QEXwhKzT/VbD616FealDguzqCy30jfl1TUCpujTdSXoLbeRKbwpZLGfuZVdueqx2QYRu7UFobVUkCCw==","sha1":"d138178d30e19ce7dacabef112775241a5ff4be1"}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pc-optimizer/MAL-2026-5653.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}