{"id":"MAL-2026-5760","summary":"Malicious code in npm-sandbox-research-c5d6 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e7dd3f64f94b15f73c62c5733a5910802ff22adc514e0eb08e153817fcd4158b)\nThe package declares a postinstall hook (`\"postinstall\": \"node run.js\"`) that executes automatically on `npm install`. The shipped beacon scripts (`beacon11.js`, `beacon_linux.js`) load `child_process`, `os`, and `http`, read host identifiers via `os.hostname()` and `os.platform()`, and issue outbound HTTP GET/POST requests carrying that data. This is the install-time host-fingerprinting and exfiltration shape: lifecycle execution + system-info collection + outbound network in a single chain, with no legitimate library functionality justifying the behavior.\n","modified":"2026-06-14T08:01:43.654760595Z","published":"2026-06-14T07:30:46Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006464","sha256":"e7dd3f64f94b15f73c62c5733a5910802ff22adc514e0eb08e153817fcd4158b","modified_time":"2026-06-14T07:30:46Z","versions":["1.0.0"],"import_time":"2026-06-14T07:43:28.135499775Z","source":"amazon-inspector"},{"versions":["1.0.0"],"sha256":"f94e3174e59659bc3525db8886120231fe3f85edfce419c48b81f1a6f7f2c998","modified_time":"2026-06-14T07:30:46Z","id":"IN-MAL-2026-006466","import_time":"2026-06-14T07:43:28.280386212Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/npm-sandbox-research-c5d6/v/1.0.0"}],"affected":[{"package":{"name":"npm-sandbox-research-c5d6","ecosystem":"npm","purl":"pkg:npm/npm-sandbox-research-c5d6"},"versions":["1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npm-sandbox-research-c5d6/MAL-2026-5760.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"package_integrity":[{"hashes":{"sha1":"b115c08d21ed96b0a221aee843a3816b2bd70702","sha512_sri":"sha512-Sn5gfQbYB9suuXfXqP//cKO0dBlsuXcHDY8sUhgD/T6L8pEPNLI2gIFhmKwBtG1nj76uz2OTUepVFqAm295BKQ=="},"filename":"npm-sandbox-research-c5d6-1.0.0.tgz"}],"ips":["173.255.233.239","104.16.4.34","10.1.0.2"],"evidence_files":[{"tlsh":"28e10821da656e647603e5a8df47a8482416f21f3930faa0b3dd548c2fdc11ec5b62fe","sha256":"f4a9ea1da339d73e682bd22b37a57ea2a1141d0953d4a461f7f25bacf237de24","path":"beacon11.js"},{"tlsh":"5db1b7d6a57b41282bd3b89c679f84061823f217b512d8d0b6dc06248fc7924a1a2ded","sha256":"60a0fbee8014300d0dd230765cbea7b61e9660a1584ad6a265de71927ff04c68","path":"beacon_linux.js"},{"tlsh":"3001fe44dd301c7329d42e910e538989fa348f0f9040aeae427b4538a0eee7934bb2bc","sha256":"7353aab298cf717d6e7bfc5d4f4921de08d5a462ce98742188efbb2da65f309a","path":"package.json"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}