{"id":"MAL-2026-5741","summary":"Malicious code in @achuthvp/postinstall-poc (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c3dc0d7b5fc216ae117dda9c492a6bbdff46e49ab53f069c2d525dab001bcdb9)\npackage.json declares scripts.postinstall = `node postinstall.js`. On every `npm install`, postinstall.js runs `execSync('id')` and POSTs a JSON body containing the `id` output, `os.hostname()`, platform, architecture, `process.cwd()`, and Node version to the hardcoded URL `https://webhook.site/fceebb0d-9f11-4ac0-98db-6f6b3925f7d3` (postinstall.js line 14, exfil call constructed via `https.request` at line 21 with POST at line 24). The behavior is unconditional, undisclosed in the README (`Does nothing much`), and fires on a default install. Although the package self-describes as a POC, the install-time mechanism is identical to an active reconnaissance/exfiltration payload: any developer or CI machine installing this package leaks its identity (uid/gid/groups via `id`, hostname, cwd, platform) to an attacker-readable webhook bin.\n","modified":"2026-06-13T20:46:41.519843531Z","published":"2026-06-13T20:24:46Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.2"],"sha256":"8a5c98a52f068d49b6fbdf96d76a24df1f7807c41e53ab75d6270ca0ce64fb1a","source":"amazon-inspector","modified_time":"2026-06-13T20:24:47Z","import_time":"2026-06-13T20:33:18.941844057Z","id":"IN-MAL-2026-006379"},{"versions":["1.0.3"],"sha256":"91e690492c565ad314bb15d92061ec65f0f5a6622e3b20d9c4acf3170df13ac5","source":"amazon-inspector","modified_time":"2026-06-13T20:24:52Z","import_time":"2026-06-13T20:33:18.994590214Z","id":"IN-MAL-2026-006381"},{"versions":["1.0.2"],"sha256":"972fb1c4637e2b6b3d0ed4a3d24b0f5a91fe190baf271328278eb756c9611e36","import_time":"2026-06-13T20:33:18.916329426Z","modified_time":"2026-06-13T20:24:46Z","source":"amazon-inspector","id":"IN-MAL-2026-006378"},{"versions":["1.0.3"],"sha256":"c3dc0d7b5fc216ae117dda9c492a6bbdff46e49ab53f069c2d525dab001bcdb9","import_time":"2026-06-13T20:33:18.970252282Z","modified_time":"2026-06-13T20:24:52Z","source":"amazon-inspector","id":"IN-MAL-2026-006380"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@achuthvp/postinstall-poc/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@achuthvp/postinstall-poc/v/1.0.3"}],"affected":[{"package":{"name":"@achuthvp/postinstall-poc","ecosystem":"npm","purl":"pkg:npm/%40achuthvp%2Fpostinstall-poc"},"versions":["1.0.2","1.0.3"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@achuthvp/postinstall-poc/MAL-2026-5741.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"ips":["104.16.0.34","10.1.0.2"],"evidence_files":[{"path":"postinstall.js","sha256":"97ad818370207f92d58a2e9981e90fd5616b34c61cf5a2e09c4f78e187767fc5","tlsh":"cb41674946f6a1741ab3bd9c936755066262c2173d04fcb8be4d0a601f4fa7c51f07ed"}],"domains":["webhook.site"],"package_integrity":[{"hashes":{"sha512_sri":"sha512-fTMzJ3V5X+66LuzDJyEOn1ryhrHusageUxt2Cemec7p6fP7cDU4jAEyTr6dK8xSPVZsGSBPSIL+J4a8BFDyb2A==","sha1":"74c7ef7b1935a2f527bd7c97d666202c49088c7c"},"filename":"postinstall-poc-1.0.2.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}