{"id":"MAL-2026-5782","summary":"Malicious code in token-prices-cron (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (10adc862166a2dbaf26f3dc56b4c1dfa0fd45e625f713380564d0b18fb07088d)\nOn `npm install`, the preinstall lifecycle script in postinstall.js enumerates process.env, filters keys matching a broad credential regex (key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host), and bundles them with hostname, username, cwd, and npm registry/prefix metadata. The collected payload is POSTed over the network to a hardcoded bare IP at 185.130.46.35:8443 — no domain, no TLS verification context, no documented purpose. The package itself is a hollow shell: index.js is `module.exports = {}`, the description is 'Internal package', and the version is 999.0.0 — the canonical dependency-confusion shape designed to win resolution against a private-registry package of the same name and trigger the credential harvester on corporate build machines. A source comment confirms intent ('Exfil CI environment variables on install').\n","modified":"2026-06-15T15:46:46.377657349Z","published":"2026-06-15T15:09:45Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-15T15:30:22.236685127Z","id":"IN-MAL-2026-006488","source":"amazon-inspector","sha256":"10adc862166a2dbaf26f3dc56b4c1dfa0fd45e625f713380564d0b18fb07088d","modified_time":"2026-06-15T15:09:45Z","versions":["999.0.0"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/token-prices-cron/v/999.0.0"}],"affected":[{"package":{"name":"token-prices-cron","ecosystem":"npm","purl":"pkg:npm/token-prices-cron"},"versions":["999.0.0"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"ef0141f884ed95a226e797d8f117901761bbd2323d0678b0baa842851fcc27485f2cf2","path":"postinstall.js","sha256":"d64656e6553409a54557222ecca0d2d914ac89afab42f95780168653327962f3"},{"path":"package.json","tlsh":"f8c080348d255f7318c40bd565a3860576f21d3b5144785857c3149443ef77748bb71e","sha256":"d8ab6665415cb285e69ab885ed074b75b04e9e3226e749f0ea6f0ad3077d8cb7"}],"package_integrity":[{"filename":"token-prices-cron-999.0.0.tgz","hashes":{"sha1":"51adffb553e2f3a7c8e084d1fbe01fb23c3062ba","sha512_sri":"sha512-kgvVSiTU8lSJCnloKwtJphtiSkWoL1bGamb2R+E8HgOhC6Qv45p39Lr6Ev2jjT1p0AaPDe8AdzXN31wVsAnX6g=="}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/token-prices-cron/MAL-2026-5782.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}