{"id":"MAL-2026-5798","summary":"Malicious code in @resolvx/core (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (4639df1cd39850efb8106cbc5ecf3648f386c0cc5cff6c457d90f6a4d569cef0)\nOn `npm install`, scripts/postinstall.js connects to a hardcoded attacker IP (http://213.218.160.189:8080, fallback:80), sends a base64-encoded host fingerprint (hostname, username, platform, arch) as the `q` query parameter, optionally XOR-decrypts the HTTP response with an embedded hex key, writes the decrypted bytes to a hidden file (`.node_\u003crand\u003e.js`) under /tmp or %LOCALAPPDATA%/Temp, spawns it as a detached Node process with stdio ignored and windowsHide set, calls unref(), and deletes the staging file ~5 seconds later. The script also performs anti-analysis checks (scans `tasklist` for wireshark/fiddler/procmon/x64dbg/ida), introduces a randomized 0.5–2.5s start delay, and skips execution when `npm_config_dry_run` is set to evade dry-run inspection. The combination of plaintext HTTP fetch from a bare IP, payload decryption, hidden filename staging, detached background execution, and anti-analysis gating is a textbook install-time dropper that yields full code execution on the installer's machine and exfiltrates host identification to the attacker for follow-on targeting.\n","modified":"2026-06-15T19:06:35.425416979Z","published":"2026-06-15T18:00:19Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-15T18:00:24Z","import_time":"2026-06-15T18:54:55.97094478Z","sha256":"052d246b7ece22aa1b8e1a365e8c56a7655f5bb9136c946c93491d3f45bad6fc","versions":["2.4.2"],"source":"amazon-inspector","id":"IN-MAL-2026-006651"},{"modified_time":"2026-06-15T18:00:20Z","import_time":"2026-06-15T18:54:55.897288514Z","sha256":"4639df1cd39850efb8106cbc5ecf3648f386c0cc5cff6c457d90f6a4d569cef0","versions":["2.4.1"],"source":"amazon-inspector","id":"IN-MAL-2026-006650"},{"modified_time":"2026-06-15T18:00:25Z","import_time":"2026-06-15T18:54:56.048694099Z","sha256":"c4a11c4df96cafcd14b258bbd044e008dc789bf4860930df33ce06bac5b22372","versions":["2.4.2"],"source":"amazon-inspector","id":"IN-MAL-2026-006652"},{"modified_time":"2026-06-15T18:00:19Z","import_time":"2026-06-15T18:54:55.839646457Z","sha256":"c616f535bbbe417cfb9a1e54c6c98a9a40c2631ce26c3209ab5b43bc05ae4aec","versions":["1.0.0"],"source":"amazon-inspector","id":"IN-MAL-2026-006649"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@resolvx/core/v/2.4.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@resolvx/core/v/2.4.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@resolvx/core/v/1.0.0"}],"affected":[{"package":{"name":"@resolvx/core","ecosystem":"npm","purl":"pkg:npm/%40resolvx%2Fcore"},"versions":["2.4.2","2.4.1","1.0.0"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@resolvx/core/MAL-2026-5798.json","indicators":{"evidence_files":[{"sha256":"bb1253d7958c76ae002b219dc29bc929ba121d910d0319ea784093bbfb969191","path":"scripts/postinstall.cjs","tlsh":"d45142c426f5013441a395a85baba522b27fe213b456dae4fe8c47401f45778c2f39fd"}],"package_integrity":[{"filename":"core-2.4.2.tgz","hashes":{"sha512_sri":"sha512-WHOJHbJtDuyq4dCVHmA0otzg/UAA4tXL+or9CAgv9geKnvuvQ64T/V2qpS2RnxTOzRK7iQCxc+/rHfMvM7tlvQ==","sha1":"3e28655f2756e0f0835bf0d9a7bf74dbdd9dec96"}}],"ips":["213.218.160.189"]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}