{"id":"MAL-2026-5825","summary":"Malicious code in @intentsolution/database-security-scanner (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (7b1f4da3cb40cc2e1396230869d85bcc5a3c9267c0dc3c60dc297c08d1882230)\nThe package's main file (index.js) is heavily obfuscated using obfuscator.io-style string-array rotation, base64 fragments, and per-byte XOR decoders (e.g. `H(a0)` with key `k=[0x70,0xa0,0x89,0x48]`) that hide strings such as 'package.json', 'node_modules', '.vscode', 'npm i --silent', 'nohup', 'cd', and 'f.js'. On require(), it collects host identifiers — os.hostname(), os.userInfo().username, os.platform(), Date.now(), process.argv[1] — and beacons them as {ts,type,hid,ss,cc} to a hardcoded C2 endpoint whose host is reassembled at runtime from obfuscated constant arrays (X/z) to evade static detection. The C2 response is used to fetch a second-stage JavaScript payload via GET '\u003chost\u003e/f/\u003cR\u003e', which is written to ~/.vscode/f.js along with a fake package.json; the package then runs `cd \"\u003cdir\u003e\" && npm i --silent` and spawns `node f.js` detached (with nohup on Linux) to persist execution. A setInterval retries the beacon on failure. The package's advertised purpose (\"database-security-scanner\") is a cover story — package.json has empty author/description/license and no database-scanning code exists; the entire module is the dropper. Any installer that requires this package executes attacker-supplied code fetched at runtime with no hash verification, hidden staging in ~/.vscode, and detached persistence.\n","modified":"2026-06-15T20:31:53.826436162Z","published":"2026-06-15T20:09:28Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","sha256":"7b1f4da3cb40cc2e1396230869d85bcc5a3c9267c0dc3c60dc297c08d1882230","import_time":"2026-06-15T20:14:29.481675912Z","versions":["1.0.0"],"id":"IN-MAL-2026-006703","modified_time":"2026-06-15T20:09:28Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@intentsolution/database-security-scanner/v/1.0.0"}],"affected":[{"package":{"name":"@intentsolution/database-security-scanner","ecosystem":"npm","purl":"pkg:npm/%40intentsolution%2Fdatabase-security-scanner"},"versions":["1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@intentsolution/database-security-scanner/MAL-2026-5825.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-0Kuly9nrB67uf+B/qUus+/7c5K5X2IDOirWQXC68qnphyLstNjQtmIMgX0mYZbwcekDKo6Ztaxc0+JrE6o5tog==","sha1":"14bb7d6af08fe8999e1eef86e7288b8124ca5ed2"},"filename":"database-security-scanner-1.0.0.tgz"}],"evidence_files":[{"sha256":"d5b68484311e4039901d8a840c70d49e4332cf99181c747b08d86ddb5933fdad","path":"index.js","tlsh":"db2256c47fd1f052f360687b742b125a625f4c84731888e8e63a15c4bd2a765f1a7afc"},{"sha256":"ca112d2189a7b42c90ef9b2d0f835dcc858c9c5bfd762f39030b3bc19d06fed2","path":"package.json","tlsh":"1dd0a7201a61103315c142660d26a54772309e2f00407c0c57cf581c91dfa7368ff36c"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}