{"id":"MAL-2026-5704","summary":"Malicious code in friendly-greeter-demo (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3d7aae6052d68219fd3611f6c4faf98ebaa10c81bb2190be2ba9fc8c21414ca8)\nThe package presents itself as a trivial greeting library but ships two independent backdoor paths to a hardcoded bare-IP C2 at http://98.86.244.177:8080. (1) package.json declares `\"postinstall\": \"node postinstall.js\"`, which fires on every `npm install`. postinstall.js re-spawns itself as a detached daemon (POSTINSTALL_DAEMON=1), POSTs the installer's os.hostname() and process.platform to /register, polls /beacon for a `command` field, executes it via child_process.exec with a 30s timeout, and POSTs stdout+stderr back to /results in a jittered loop — a persistent command-and-control backdoor that survives the install and grants the operator of 98.86.244.177 full shell on the installer's machine. (2) index.js (the declared `main`) contains a top-level IIFE that performs the same /register → /beacon → exec → /results flow on `require('friendly-greeter-demo')`, so any consumer that imports the package as a library also gets full RCE. The C2 destination is a bare IPv4 over plaintext HTTP, with no relation to the package's stated greeting purpose.\n","modified":"2026-06-12T20:01:51.485870842Z","published":"2026-06-12T19:15:47Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-12T19:16:32Z","versions":["1.0.4"],"source":"amazon-inspector","sha256":"296efda061a9a7286225d84524e63a37f5d4b655352f579db38e6ab244911f1b","id":"IN-MAL-2026-006209","import_time":"2026-06-12T19:44:20.15234419Z"},{"modified_time":"2026-06-12T19:16:36Z","versions":["1.0.6"],"source":"amazon-inspector","sha256":"3d7aae6052d68219fd3611f6c4faf98ebaa10c81bb2190be2ba9fc8c21414ca8","id":"IN-MAL-2026-006212","import_time":"2026-06-12T19:44:20.470285031Z"},{"modified_time":"2026-06-12T19:16:33Z","versions":["1.0.2"],"source":"amazon-inspector","sha256":"6abf509238a817b53302533e1df0b744115e5814c7cf707a5d86d9bc0414d8c4","id":"IN-MAL-2026-006210","import_time":"2026-06-12T19:44:20.250199272Z"},{"modified_time":"2026-06-12T19:15:47Z","versions":["1.0.3"],"source":"amazon-inspector","sha256":"cf7bb5ffaaf1b751fff6564106d0f381be58f3c9541e571f9e1f580a2358d99f","id":"IN-MAL-2026-006208","import_time":"2026-06-12T19:44:20.065373665Z"},{"modified_time":"2026-06-12T19:16:36Z","versions":["1.0.1"],"source":"amazon-inspector","sha256":"e42b62d2ce224204686eadc2dd79e8059a3f21a3fd407b84e7e0a8434af594af","id":"IN-MAL-2026-006211","import_time":"2026-06-12T19:44:20.384109941Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/friendly-greeter-demo/v/1.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/friendly-greeter-demo/v/1.0.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/friendly-greeter-demo/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/friendly-greeter-demo/v/1.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/friendly-greeter-demo/v/1.0.1"}],"affected":[{"package":{"name":"friendly-greeter-demo","ecosystem":"npm","purl":"pkg:npm/friendly-greeter-demo"},"versions":["1.0.4","1.0.6","1.0.2","1.0.3","1.0.1"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/friendly-greeter-demo/MAL-2026-5704.json","indicators":{"evidence_files":[{"tlsh":"8e41418628f62634a273e6cdea5794276112e0177547cdb1fa4c41602fd732cd4a37ee","sha256":"fb87e8a90951215f81a9bf45197387e4211d24103da368cf4eceb7ac217c9211","path":"postinstall.js"},{"path":"index.js","sha256":"03a6f199b8f9b9946d61fab0a950196c243a68b1ccbcdce8ddef6610dba52c76","tlsh":"9341e44654f6656287a39ba9f74f740a6323d0273117cd51f88c42606fd363c54f2be9"},{"tlsh":"71e02b518d551a331ac10e962856a20df9364d2b02887c4db76b404c4f9e76b58ff74f","sha256":"5d7198391de1fbeb3ca9cd427162d1378f00ad949e1baa1e20e7f5009a22266a","path":"package.json"}],"package_integrity":[{"filename":"friendly-greeter-demo-1.0.4.tgz","hashes":{"sha1":"2654f7260acfac7ec4f162770aae176298dafd1a","sha512_sri":"sha512-UbYQFL1mPETCpOuuStniNaDCUZuUH/jC3h9jIfT7cnkGJAh9Rsve6CCq2L9xhSHvCG4zzmCBVY/r3GAmJGlLEQ=="}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}