{"id":"MAL-2026-5783","summary":"Malicious code in vault-strategies (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6b7037d9efc65a0885cc000a92c46ea9bed2097d02c8fb2883ceaa3eb2fd5eeb)\nOn `npm install`, the package's preinstall hook (`preinstall: node postinstall.js || true`) executes postinstall.js, which enumerates `process.env` and filters keys with a broad credential regex (key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host), bundles the matched values together with hostname, username, cwd, and npm configuration, and POSTs the payload over HTTPS to the hardcoded bare IP `185.130.46.35:8443/collect`. Errors are swallowed via `|| true` and try/catch so the exfiltration is silent. The version is published as `999.0.0` with description `Internal package` — the canonical dependency-confusion shape, designed to be auto-resolved over an organization's private `vault-strategies` package and fire the credential-harvest payload at install time.\n","modified":"2026-06-15T15:46:46.611114656Z","published":"2026-06-15T15:09:23Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-15T15:09:23Z","import_time":"2026-06-15T15:30:21.682689992Z","id":"IN-MAL-2026-006484","versions":["999.0.0"],"source":"amazon-inspector","sha256":"6b7037d9efc65a0885cc000a92c46ea9bed2097d02c8fb2883ceaa3eb2fd5eeb"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/vault-strategies/v/999.0.0"}],"affected":[{"package":{"name":"vault-strategies","ecosystem":"npm","purl":"pkg:npm/vault-strategies"},"versions":["999.0.0"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"tlsh":"ef0141f884ed95a226e797d8f117901761bbd2323d0678b0baa842851fcc27485f2cf2","sha256":"d64656e6553409a54557222ecca0d2d914ac89afab42f95780168653327962f3","path":"postinstall.js"},{"tlsh":"a7c022308d12977318c407822862840271a20c2f2000a81807c7285002aa77248ab20e","sha256":"f6ed4caa3e6667e7ddf3b28cb9b4b02300cbe4c086b8c436b34752e9e8d1fe46","path":"package.json"}],"package_integrity":[{"hashes":{"sha1":"a16db8055cd9fcd9923f898ed4ad394af89ffbcd","sha512_sri":"sha512-dHtKfv+BDGr0N1Dm/KUM0YRHYscD+zV9Vm3dR6HrlZQjXohkrYnHySZyucfOd5aE8XKzzF3Hbma2CdrilAXxiQ=="},"filename":"vault-strategies-999.0.0.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vault-strategies/MAL-2026-5783.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}