{"id":"MAL-2026-5733","summary":"Malicious code in node-app-doctor (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (addccbccd4c3c52cd67098a571ed77a4f55ea2303746f421b22b5bbf175a345e)\ncollect.js gathers host identifiers via os.hostname() and os.homedir(), reads local filesystem state with fs.existsSync, spawns child_process commands, and POSTs the collected data to the hardcoded endpoint http://aab.sportsontheweb.net. The destination domain is unrelated to any legitimate npm/Node tooling publisher and there is no plausible benign reason for a 'node app doctor' utility to ship installer/host telemetry to that host. The combination of system enumeration (hostname, home directory, child_process), filesystem inspection, and hardcoded plaintext HTTP POST to an unaffiliated domain is the standard host-fingerprint exfiltration shape.\n","modified":"2026-06-13T07:31:42.240535378Z","published":"2026-06-13T06:58:16Z","database_specific":{"malicious-packages-origins":[{"sha256":"2672da84038326aef670f6e4b5276bc4d1a2f678d986f0a422858bac2a39f6b5","import_time":"2026-06-13T07:25:39.268133377Z","modified_time":"2026-06-13T06:58:30Z","versions":["1.0.9"],"source":"amazon-inspector","id":"IN-MAL-2026-006316"},{"sha256":"a36bb51486017eff5ce97b5a6c916f6140e0dd1cbfe3f2686bbeb97c03995395","import_time":"2026-06-13T07:25:39.202479907Z","modified_time":"2026-06-13T06:58:27Z","versions":["1.0.2"],"source":"amazon-inspector","id":"IN-MAL-2026-006315"},{"sha256":"a675df3cebba84e131f74db241a485e0eea07d89837e6fb9d91aac2342713f08","import_time":"2026-06-13T07:25:39.005814391Z","id":"IN-MAL-2026-006312","versions":["1.0.1"],"source":"amazon-inspector","modified_time":"2026-06-13T06:58:16Z"},{"sha256":"addccbccd4c3c52cd67098a571ed77a4f55ea2303746f421b22b5bbf175a345e","import_time":"2026-06-13T07:25:39.077141852Z","modified_time":"2026-06-13T06:58:26Z","versions":["1.0.9"],"source":"amazon-inspector","id":"IN-MAL-2026-006313"},{"sha256":"bb98b7bd393ae33a610f2cb95e294878050d42ba2757be857c34e8a411bfec3a","import_time":"2026-06-13T07:25:38.924501166Z","id":"IN-MAL-2026-006311","versions":["1.0.1"],"source":"amazon-inspector","modified_time":"2026-06-13T06:58:16Z"},{"sha256":"9c131ec8f08bea5eecdaa826ff4a17588c61dc432ca61ef3658dbe0e6b4aebe8","import_time":"2026-06-13T07:25:39.154074292Z","id":"IN-MAL-2026-006314","versions":["1.0.2"],"source":"amazon-inspector","modified_time":"2026-06-13T06:58:26Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/node-app-doctor/v/1.0.9"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/node-app-doctor/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/node-app-doctor/v/1.0.2"}],"affected":[{"package":{"name":"node-app-doctor","ecosystem":"npm","purl":"pkg:npm/node-app-doctor"},"versions":["1.0.9","1.0.2","1.0.1"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-app-doctor/MAL-2026-5733.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-0OZN1ofsvbcYrfcLOauNKnl/30gkF2Ey2bQ9tB2It3KpHrBv3N01jIbBmnzshG/+LxP3L5FSoowFcfJrv9PRBw==","sha1":"9c1bb5f4c3290e2b503cd1b75236077e895d1f40"},"filename":"node-app-doctor-1.0.9.tgz"}],"ips":["104.16.8.34","10.1.0.2"],"evidence_files":[{"sha256":"57adc4f1f15fdf470534e2b357c51a4c6b50bd6c281237638be2ff781a429fb8","path":"collect.js","tlsh":"cea21e5b14cb351ac747e70ad7670014ad88abb3b113bb41bb8c9bd41f2ad2663d09f9"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}