{"id":"MAL-2026-5799","summary":"Malicious code in boardflow (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (f9d5c1524281430272215f48a90b957cf08f76dcb9954cb73945421dff358eb2)\npackage.json declares `preinstall: node install.js`, which fires automatically on `npm install`. install.js is heavily obfuscated (obfuscator.io string-array shuffle with `_0xNNNN` identifiers and split-string concatenation) to hide its behavior. After deobfuscation, the script downloads `https://www.pooron.org/ice.exe` into the OS temp directory as `tester_\u003crandomhex\u003e.exe`, chmods it 755, and spawn-detaches it via `spawn(PAYLOAD_PATH, [], {detached:true, stdio:'ignore', windowsHide:true}).unref()` — using a cmd-style invocation on Windows and direct exec on macOS/Linux. A console message `[boardstep] Optional dependency initialized.` is printed as a cover story (note that `boardstep` does not match the package name `boardflow`). The payload domain `pooron.org` is not the package's publisher, the URL is mutable and unpinned, no hash or signature check is performed, and the binary is opaque. Supporting indicators of disposability: README is 0 bytes, `dependencies` declares a self-reference (`boardflow: ^1.1.8`), and the package's stated kanban purpose has no implementing code. This is a textbook install-time dropper: any developer or build system running `npm install boardflow` immediately executes attacker-controlled code with the installer's privileges.\n","modified":"2026-06-15T20:31:54.318911419Z","published":"2026-06-15T17:30:59Z","database_specific":{"malicious-packages-origins":[{"sha256":"44c1a2a7a8989773ff06953829afe67e6d44ac2f0ed278fd1d3b6c1095af2e3e","modified_time":"2026-06-15T17:30:59Z","versions":["1.1.4"],"id":"IN-MAL-2026-006646","source":"amazon-inspector","import_time":"2026-06-15T18:54:55.747448489Z"},{"sha256":"4f6871f077a9d5bd524351630a320821db83a1c9d72fce8439cac236db123dea","source":"amazon-inspector","versions":["1.1.5"],"id":"IN-MAL-2026-006647","modified_time":"2026-06-15T17:31:02Z","import_time":"2026-06-15T18:54:55.779395856Z"},{"sha256":"9430a740d3fd1c56d55223525f3dfeea208ccb860cc67043780367647bf28055","modified_time":"2026-06-15T17:31:02Z","versions":["1.1.5"],"id":"IN-MAL-2026-006648","source":"amazon-inspector","import_time":"2026-06-15T18:54:55.808404098Z"},{"sha256":"3520dcd1368e2f6462e5ca772009fc9fbbd08e101939bf7d9302d05b2dd7bb5c","source":"amazon-inspector","versions":["1.2.0"],"id":"IN-MAL-2026-006674","modified_time":"2026-06-15T19:39:29Z","import_time":"2026-06-15T20:14:26.218214583Z"},{"sha256":"450e43eca990ae027582424755a167dcb05f5d10561ba2e6ca960cb75daf7b6d","source":"amazon-inspector","versions":["1.1.6"],"id":"IN-MAL-2026-006677","modified_time":"2026-06-15T19:39:32Z","import_time":"2026-06-15T20:14:26.669206285Z"},{"sha256":"59759162b86b7e677218f15ebde6675f9fa6e6a6acef80839219a507d229c930","modified_time":"2026-06-15T19:39:27Z","versions":["1.2.1"],"id":"IN-MAL-2026-006673","source":"amazon-inspector","import_time":"2026-06-15T20:14:26.134039227Z"},{"sha256":"be03976e81028345e9bef1648f70d09264024298160cb4ff2ac123c384d31831","source":"amazon-inspector","versions":["1.1.7"],"id":"IN-MAL-2026-006676","modified_time":"2026-06-15T19:39:31Z","import_time":"2026-06-15T20:14:26.574753975Z"},{"sha256":"f86d380601bfb580bd1337b13be24dda3c998cf9ba7fdec4c250808da3000295","source":"amazon-inspector","versions":["1.1.9"],"id":"IN-MAL-2026-006675","modified_time":"2026-06-15T19:39:30Z","import_time":"2026-06-15T20:14:26.368974342Z"},{"sha256":"f9d5c1524281430272215f48a90b957cf08f76dcb9954cb73945421dff358eb2","modified_time":"2026-06-15T19:39:21Z","versions":["1.1.8"],"id":"IN-MAL-2026-006672","source":"amazon-inspector","import_time":"2026-06-15T20:14:25.955538126Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/boardflow/v/1.1.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/boardflow/v/1.1.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/boardflow/v/1.2.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/boardflow/v/1.1.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/boardflow/v/1.2.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/boardflow/v/1.1.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/boardflow/v/1.1.9"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/boardflow/v/1.1.8"}],"affected":[{"package":{"name":"boardflow","ecosystem":"npm","purl":"pkg:npm/boardflow"},"versions":["1.1.4","1.1.5","1.2.0","1.1.6","1.2.1","1.1.7","1.1.9","1.1.8"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-HEi3CRFVbeV+QrPkdkdxz5DT5e0sp6MMc9kcAvTEXzylJ4Qy3ou7dTsIb7nCnSHUiHN/Pt+CpyvM7MgFc5zqcg==","sha1":"f033b2b163e72c13bec89fed59b09a7d5065cf0a"},"filename":"boardflow-1.1.4.tgz"}],"evidence_files":[{"path":"install.js","tlsh":"a3f17349f281344663428db7fa3b69c4c57a988c3e840943d3547d90fb66322dbd76ba","sha256":"556c26e2446daf0a7f7672c4f1c6e22a8971597f99e7cfb49fa8aa3dce9182aa"},{"path":"package.json","tlsh":"b5f0e92aca1cdc57a9f406a554258646f1061f1f01714c0f31f3931c4fb2b63809f70a","sha256":"c795ff92e91ffe6bb98097bac49685d7feecaf2162623bbe0054615f0fefc225"}],"domains":["www.pooron.org"],"ips":["64.29.17.1"]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/boardflow/MAL-2026-5799.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}