{"id":"MAL-2026-5800","summary":"Malicious code in boardstep (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d23139a90bc62310843522a9f8c266cf11ec4166f7a493072bf93b7d8ec05b0c)\nThe package wires all three npm lifecycle hooks (preinstall, install, postinstall in package.json) to run install.js, which downloads https://www.pooron.org/tester.exe to the system temp directory under a randomized filename, marks it executable, and spawns it detached with stdio ignored and the window hidden (install.js:9 declares PAYLOAD_URL and install.js:64 calls spawn with {detached: true, stdio: 'ignore', windowsHide: true}). All errors are swallowed. There is no hash verification, the URL is unpinned, and the destination domain is unrelated to any declared publisher. The advertised purpose is a 'lightweight kanban board utility,' but index.js only exports a trivial stub class with format/getSystemInfo methods — no kanban functionality is present. The package metadata also uses a random-looking author handle ('sfhbdrffthger'), consistent with a cover-story lure paired with a dropper. On `npm install`, the installer's machine fetches and silently executes an opaque attacker-controlled binary.\n","modified":"2026-06-15T19:06:36.833084423Z","published":"2026-06-15T17:30:40Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","modified_time":"2026-06-15T17:30:45Z","id":"IN-MAL-2026-006635","sha256":"0fe75e9b8d5e4db24bcae068f6f4a55e000043c581641e6ce78a65701f4faaa3","versions":["1.1.4"],"import_time":"2026-06-15T18:54:55.11700102Z"},{"source":"amazon-inspector","import_time":"2026-06-15T18:54:55.682259738Z","id":"IN-MAL-2026-006645","sha256":"1c728314b118425c8e4be256314b44452198a03b9cc6e9b697fa10dc8fa8bb2a","versions":["1.1.0"],"modified_time":"2026-06-15T17:30:55Z"},{"source":"amazon-inspector","modified_time":"2026-06-15T17:30:48Z","id":"IN-MAL-2026-006641","sha256":"2642f9949a070ceffd4e18fadfc9961d2588873ff4e2e866421162543d22c13c","versions":["1.0.7"],"import_time":"2026-06-15T18:54:55.458895579Z"},{"source":"amazon-inspector","modified_time":"2026-06-15T17:30:50Z","id":"IN-MAL-2026-006644","sha256":"325418ddeb8034034f4ff5434b932636adefe9d71a4b69dab8b20d4f6af2da53","versions":["1.0.0"],"import_time":"2026-06-15T18:54:55.641521508Z"},{"source":"amazon-inspector","modified_time":"2026-06-15T17:30:43Z","id":"IN-MAL-2026-006630","sha256":"5d193c5fa2c3acc68bf1f212f644e09ae38a98c5bc3aa64e5018289da5e70542","versions":["1.1.2"],"import_time":"2026-06-15T18:54:54.880809448Z"},{"source":"amazon-inspector","modified_time":"2026-06-15T17:30:46Z","id":"IN-MAL-2026-006637","sha256":"d23139a90bc62310843522a9f8c266cf11ec4166f7a493072bf93b7d8ec05b0c","versions":["1.0.5"],"import_time":"2026-06-15T18:54:55.237515571Z"},{"source":"amazon-inspector","modified_time":"2026-06-15T17:30:47Z","id":"IN-MAL-2026-006639","sha256":"1475dbf1ac0cdc805d7ae41c48f8edfa7a67ac5749518afb27ef1fd6d53477b4","versions":["1.0.5"],"import_time":"2026-06-15T18:54:55.356637498Z"},{"source":"amazon-inspector","modified_time":"2026-06-15T17:30:44Z","id":"IN-MAL-2026-006634","sha256":"2e24960fef479acf9380994e528fe3489caf04bcf720e2936e4f982f19ff214a","versions":["1.1.3"],"import_time":"2026-06-15T18:54:55.067814031Z"},{"source":"amazon-inspector","modified_time":"2026-06-15T17:30:41Z","id":"IN-MAL-2026-006629","sha256":"495f2962e11e2b5600a0d50d95e778b87ae4b9e88f83b9bcbf6364d16dfbb33e","versions":["1.1.2"],"import_time":"2026-06-15T18:54:54.846167592Z"},{"source":"amazon-inspector","modified_time":"2026-06-15T17:30:43Z","id":"IN-MAL-2026-006631","sha256":"7ec0920e2706acb6ad200c954aff69c563d6f45ce153e5a54b2315d433be19f9","versions":["1.1.0"],"import_time":"2026-06-15T18:54:54.93895465Z"},{"source":"amazon-inspector","modified_time":"2026-06-15T17:30:46Z","id":"IN-MAL-2026-006636","sha256":"b8557d825807486ccc8ae2d425fae75c052e94479a1b0a1d92538cca3ef13441","versions":["1.1.3"],"import_time":"2026-06-15T18:54:55.200757574Z"},{"source":"amazon-inspector","modified_time":"2026-06-15T17:30:44Z","id":"IN-MAL-2026-006632","sha256":"16d8821c5887c1c3c2e7edf779a321325f3f3af927deb2e3126bab492ad9966f","versions":["1.0.9"],"import_time":"2026-06-15T18:54:55.000490371Z"},{"source":"amazon-inspector","modified_time":"2026-06-15T17:30:49Z","id":"IN-MAL-2026-006642","sha256":"f103051c15e08c9458073d83479e72c8adb82b907555f0eb18d195aa3de38489","versions":["1.0.7"],"import_time":"2026-06-15T18:54:55.491010478Z"},{"source":"amazon-inspector","modified_time":"2026-06-15T17:30:46Z","id":"IN-MAL-2026-006638","sha256":"160b1e0a86193a1e1e473a9bf7d50420f215723a1034a35d1e6f9023a7ad80de","versions":["1.0.1"],"import_time":"2026-06-15T18:54:55.289909381Z"},{"source":"amazon-inspector","modified_time":"2026-06-15T17:30:48Z","id":"IN-MAL-2026-006640","sha256":"279ecefcbad0d8d01a1f4d08158093609409e96d470b9c5f15889fd241dc3ce4","versions":["1.0.1"],"import_time":"2026-06-15T18:54:55.396553058Z"},{"source":"amazon-inspector","import_time":"2026-06-15T18:54:54.776365839Z","id":"IN-MAL-2026-006628","sha256":"7849155ad4026116feb6a2afac79215c1fe7af6bda263596734b377db0b6946d","versions":["1.0.9"],"modified_time":"2026-06-15T17:30:40Z"},{"source":"amazon-inspector","modified_time":"2026-06-15T17:30:44Z","id":"IN-MAL-2026-006633","sha256":"c3993e27a1725891e01283df6a72ec0619f8307445b2f2e7d8f5f6a448ce38e8","versions":["1.1.4"],"import_time":"2026-06-15T18:54:55.036076653Z"},{"source":"amazon-inspector","modified_time":"2026-06-15T17:30:50Z","id":"IN-MAL-2026-006643","sha256":"f6ab5802a77fa85a1b0d46c70336da48abd5e43a743f1a73b85ebc54c2d1175b","versions":["1.0.0"],"import_time":"2026-06-15T18:54:55.556882334Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/boardstep/v/1.0.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/boardstep/v/1.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/boardstep/v/1.1.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/boardstep/v/1.1.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/boardstep/v/1.1.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/boardstep/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/boardstep/v/1.0.9"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/boardstep/v/1.1.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/boardstep/v/1.0.0"}],"affected":[{"package":{"name":"boardstep","ecosystem":"npm","purl":"pkg:npm/boardstep"},"versions":["1.1.4","1.1.0","1.0.7","1.0.0","1.1.2","1.0.5","1.1.3","1.0.9","1.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/boardstep/MAL-2026-5800.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"indicators":{"package_integrity":[{"hashes":{"sha1":"c41d82e45baf5146484e6b5aed19fbde0c37686c","sha512_sri":"sha512-ocZkVCD6qKpaJ/VV8TZqJOSuE/5CTpO/xj3qh2nsuiiWlQKrxCHcb8qNOZTTvR9shB2b/JFaA6Alw8MNMOj8+A=="},"filename":"boardstep-1.0.7.tgz"}],"domains":["www.pooron.org"],"evidence_files":[{"path":"install.js","sha256":"cef7bafa9d03ddbb9b09949ff63535f27552bd82e5e000818f453c80a904b923","tlsh":"9a5195af4a25123486f167cd8f63a526da47c133b74147d4beac83412fb21684199ffd"},{"path":"package.json","sha256":"74fcb39bd7bfb1c6643deeb71734a79542e322dd3285d9156c513067c1da8cb8","tlsh":"74f0e226ca04dd63adf84ba654168106f2161b0f51648c0b72fb421c1ba36a7804f306"}],"ips":["216.198.79.65"]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}