{"id":"MAL-2026-5827","summary":"Malicious code in index-ulid (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (5acad250c58c9c27804a14b640d17438998fbaabd43b77c69008c7180014f361)\nindex-ulid impersonates the legitimate `ulid`/`ulidx` ULID generator (reuses ulid's description and links its homepage to github.com/ulid/javascript) but its `postinstall` script (package.json line 36: `node dist/node/utils.js`) is a cross-platform dropper. utils.js detaches with `--bg`, copies the bundled `dist/node/payload.js` into a directory named `MicrosoftSystem64` under the user's data-local directory (utils.js:7 `var UNIT_STEM = \"MicrosoftSystem64\"`) to disguise it as a Microsoft system component, then installs persistence on every major OS: Windows `schtasks /create /sc ONLOGON` (with a Registry Run key fallback), macOS detached spawn, and Linux `systemd --user` service or `~/.config/autostart`. The dropped binary is then launched in the background as `node payload.js --agent` (utils.js:75-79 `spawn(process.execPath, [jsPath, \"--agent\"], { detached: true })`). The 949 KB `payload.js` bundles a WebSocket client/server (`ws`), pino, zod, and contains string references to `/api/validate`, `/api/hf`, `https://huggingface.co/api`, and `Telegram` — a long-running C2 agent that beacons to remote services from every installer host. Both the postinstall and the agent contain a sandbox-evasion CPU gate (utils.js:155 skips when `cpus.length \u003c= 4`; payload.js cpu-guard sets `MIN_CPU_COUNT = 5` and exits otherwise) so the dropper only fires on real developer/server machines and stays silent in malware sandboxes and small CI runners. None of this behavior is justified by a ULID library; the package is a typosquat lure for a persistent backdoor.\n\n## Source: ghsa-malware (2b76e83c1fff9149fa6fd29f8c1ae854a428055508c5b0329b52ba444d5cf464)\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\n","aliases":["GHSA-95pm-8vrw-2wrp"],"modified":"2026-07-09T23:02:00.954051782Z","published":"2026-06-15T20:08:59Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","import_time":"2026-06-15T20:14:29.310060133Z","modified_time":"2026-06-15T20:08:59Z","sha256":"5acad250c58c9c27804a14b640d17438998fbaabd43b77c69008c7180014f361","versions":["3.0.3"],"id":"IN-MAL-2026-006701"},{"source":"amazon-inspector","import_time":"2026-06-15T20:14:29.404063331Z","modified_time":"2026-06-15T20:09:03Z","sha256":"be7bb6a53a2d6d4dd94930e0969400a35d4c6aa247f07b2011f4af3815618b61","versions":["3.0.4"],"id":"IN-MAL-2026-006702"},{"source":"ghsa-malware","import_time":"2026-06-15T23:52:17.795028399Z","modified_time":"2026-06-15T23:34:22Z","sha256":"2b76e83c1fff9149fa6fd29f8c1ae854a428055508c5b0329b52ba444d5cf464","ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"id":"GHSA-95pm-8vrw-2wrp"},{"source":"amazon-inspector","import_time":"2026-07-09T22:56:29.241513549Z","modified_time":"2026-07-09T22:05:20Z","sha256":"e6dd3012455f1dec08d98eb2fe86901dbd1af9f966c26a2f504ad0e9a3aae3f9","versions":["3.0.2"],"id":"IN-MAL-2026-009506"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/index-ulid/v/3.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/index-ulid/v/3.0.4"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-95pm-8vrw-2wrp"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/index-ulid/v/3.0.2"}],"affected":[{"package":{"name":"index-ulid","ecosystem":"npm","purl":"pkg:npm/index-ulid"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["3.0.3","3.0.4","3.0.2"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/index-ulid/MAL-2026-5827.json","indicators":{"evidence_files":[{"tlsh":"85f1844d65b366718df25394620f42261a9f90937642ec70f69c81e92f5b12ec0339ee","sha256":"024b98564f18f198ffc4b784ab9204d89f877eedd7a806a406fb0eb0967916e5","path":"dist/node/utils.js"},{"tlsh":"d9612125cd980e731ac025d4e8ba4691a536845b89c4f958b3a9425d4fcc3af01ff2ed","sha256":"df5d576327b588dfbf8087d8ddb8cbdad063f072ed01958c3915f8777c0608d4","path":"package.json"},{"tlsh":"2315939aaaf750260663b1bd6f5f900676359007250cfd88be8c87946f4d42c93f6bec","path":"dist/node/payload.js","sha256":"91854e0283c8bbccbe9a18b9f42077aeb0709f5fb7731e7183e63ec263f80a06"}],"package_integrity":[{"hashes":{"sha1":"ddfc4e6df86ad34b068f2a4e86136b3a332dcd05","sha512_sri":"sha512-9nXa7v43r4IXetlQYO9x23w58Ka92PEixlTBDQ1HZEw7tuV0qM1BvthqlNVSPtepnhil6fBTEoaVMPz60t1CpA=="},"filename":"index-ulid-3.0.3.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}