{"id":"MAL-2026-5763","summary":"Malicious code in npm-sandbox-research-g3h4 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (5e119a878730c42d27b9ec21adae1cbc6e044f1d6703c152010b5261647f1a3a)\nOn install, package.json's postinstall hook executes run.js. The package ships beacon15.js and beacon_linux.js, which import child_process, os, and http and issue outbound HTTP requests carrying host identifiers. beacon_linux.js reads os.hostname() and os.platform() and POSTs them via http.request(); beacon15.js similarly issues GET/http.request() calls referencing host id fields. The combination of a lifecycle hook that runs on every install plus modules that collect host metadata and beacon it outbound matches an install-time host-exfiltration / C2 callback pattern with no legitimate documented purpose.\n","modified":"2026-06-14T08:01:43.783810237Z","published":"2026-06-14T07:30:43Z","database_specific":{"malicious-packages-origins":[{"sha256":"5e119a878730c42d27b9ec21adae1cbc6e044f1d6703c152010b5261647f1a3a","import_time":"2026-06-14T07:43:27.919292174Z","id":"IN-MAL-2026-006459","source":"amazon-inspector","modified_time":"2026-06-14T07:30:43Z","versions":["1.0.0"]},{"sha256":"6df6ab545cb5891153281962879a70b15df1e9e9fb6e404ca7c9dc33e773dfab","import_time":"2026-06-14T07:43:27.965136848Z","id":"IN-MAL-2026-006460","source":"amazon-inspector","versions":["1.0.0"],"modified_time":"2026-06-14T07:30:43Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/npm-sandbox-research-g3h4/v/1.0.0"}],"affected":[{"package":{"name":"npm-sandbox-research-g3h4","ecosystem":"npm","purl":"pkg:npm/npm-sandbox-research-g3h4"},"versions":["1.0.0"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha1":"71071e5c31050ddfe4f42d6abe24f9f0731c117c","sha512_sri":"sha512-XxXz9st8vXy6jOyRjeTDcat/on9hh0T2MJttwBThTSaxvhAv76j+UPgJcnU1MtvRSAp8FsCvs29QEV3Nm7qE1Q=="},"filename":"npm-sandbox-research-g3h4-1.0.0.tgz"}],"evidence_files":[{"sha256":"b15b7345d68f1ae807f297406c204efb63f92bb3597cf507fc508110bc99b267","path":"beacon15.js","tlsh":"9602a515f2a46d90539294b8da4ab448242b921f7d21bde0b7cf06dc2fec65e92309fd"},{"sha256":"60a0fbee8014300d0dd230765cbea7b61e9660a1584ad6a265de71927ff04c68","path":"beacon_linux.js","tlsh":"5db1b7d6a57b41282bd3b89c679f84061823f217b512d8d0b6dc06248fc7924a1a2ded"},{"sha256":"976f408116bd10045ba22f9f5fb834fd3083f189e56dae5844782401b6d5c180","path":"package.json","tlsh":"53f002045c202c332ae43aa90c51ac8db630cf175050b91d437f593c42def3931bb24c"}],"ips":["173.255.233.239","10.1.0.2","104.16.2.34","104.16.7.34","104.16.5.34"]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npm-sandbox-research-g3h4/MAL-2026-5763.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}