{"id":"MAL-2026-5784","summary":"Malicious code in vaults-monitor-cron (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (b81c6b9e59e86c40858cb47e91d597b3776fea71def7feb3ca11833625fa3923)\nOn `npm install`, the package's preinstall hook (`node postinstall.js || true`) executes automatically. The script collects hostname, username, and current working directory, then iterates process.env and filters keys matching the regex /key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host/i, capturing CI tokens, SSH keys, deploy credentials, cloud API keys, RPC/wallet secrets, and similar. The collected JSON payload is POSTed via https.request to the hardcoded bare IP 185.130.46.35:8443/collect. The package metadata reinforces the attack shape: version 999.0.0 and description \"Internal package\" are the canonical dependency-confusion pattern, intended to override an organization's internal `vaults-monitor-cron` package. The `|| true` suffix on the preinstall command swallows errors so the install appears to succeed silently. There is no legitimate functionality in the package — its sole on-install effect is credential exfiltration.\n","modified":"2026-06-15T15:46:46.833771360Z","published":"2026-06-15T15:09:40Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006487","source":"amazon-inspector","import_time":"2026-06-15T15:30:22.11148159Z","modified_time":"2026-06-15T15:09:40Z","sha256":"b81c6b9e59e86c40858cb47e91d597b3776fea71def7feb3ca11833625fa3923","versions":["999.0.0"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/vaults-monitor-cron/v/999.0.0"}],"affected":[{"package":{"name":"vaults-monitor-cron","ecosystem":"npm","purl":"pkg:npm/vaults-monitor-cron"},"versions":["999.0.0"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"filename":"vaults-monitor-cron-999.0.0.tgz","hashes":{"sha1":"81972ef389dc5a799ead8c67e2295639b19ee60f","sha512_sri":"sha512-Mi05MrjD5JtaDpL6OgXPBGjNKXVidwX8a2b+Mhv37uVfrRyDiO/qQ7m4PuRfqNxTqcIq3vrXW7vlOWY0IxtAWg=="}}],"evidence_files":[{"path":"postinstall.js","sha256":"d64656e6553409a54557222ecca0d2d914ac89afab42f95780168653327962f3","tlsh":"ef0141f884ed95a226e797d8f117901761bbd2323d0678b0baa842851fcc27485f2cf2"},{"path":"package.json","tlsh":"49c022348c16963318c4078124a2800565b20c2f2000a81807c3289002ee732086b20d","sha256":"566970a592386fdfeaa4ebac1538194ac647fe2ace1394d2a20381e1cddca4f7"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/vaults-monitor-cron/MAL-2026-5784.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}